EAP-PEAP MSCHAPv2 with Python Module

Gary Gwin garygwin at gmail.com
Thu Nov 9 21:45:27 CET 2017


> Perhaps you could explain why you think you need to see the NT hash.

I'm enlightened and don't think I need it anymore ;-)

Here's pseudocode for my Python authorize method for the inner-tunnel:

def authorize(RAD_REQUEST):
    nt_hash = get_user_nt_hash(user_name)
    config = ( ('NT-Password', nt_hash), ('Auth-Type', ':=', 'MS-CHAP'), )
    result = radiusd.RLM_MODULE_OK
    return (result, (), config)

Which is working, the user authenticates, but I see this error:

(8)   Found Auth-Type = MS-CHAP
(8)   Found Auth-Type = eap
(8)   ERROR: Warning:  Found 2 auth-types on request for user 'testing'

That doesn't seem to cause a problem, but is there something that
should be done to suppress the error?

Thanks,

Gary



On Thu, Nov 9, 2017 at 6:09 AM, Alan DeKok <aland at deployingradius.com> wrote:
> On Nov 8, 2017, at 9:55 PM, Gary Gwin <garygwin at gmail.com> wrote:
>>
>> What I'm really asking is how I can get access from the inner-tunnel
>> to the NT hash?
>
>   You can't.  It doesn't exist.
>
>> I don't see it passed in. Just the User-Name and EAP-Message.
>>
>> If it is encrypted in the EAP-Message payload, how do I decrypt?
>
>   It's not encrypted in EAP-Message.  It doesn't exist.
>
>   This is really quite simple.  If FreeRADIUS decodes information from a RADIUS packet or EAP-Message, it shows that information to you.  If there's no information shown... there's no information to decode.
>
>   Perhaps you could explain why you think you need to see the NT hash.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list