MSCHAPv2 Module with Stripped-Username - no ActiveDirectory
Alan DeKok
aland at deployingradius.com
Sun Nov 11 17:46:44 CET 2018
On Nov 11, 2018, at 10:57 AM, Markus Maurer <lists at v-net.tk> wrote:
>
> The problem is that the user is stored in database as following: <username> <password>
> And the request comes with <username>:<otp> <password>.
> So I have to strip the username to verify against the database. I just need something to use eap mschapv2 with a stripped-username or a an external program like ntlm_auth without AD binding which could be executed in the eap module
You can't strip the User-Name and expect that ntlm_auth will work. Again, the MS-CHAP calculations are done on the full username as supplied by the user. Which in this case, includes the OTP.
Since AD works on the *real name*, and not the *name with the OTP*, you can't pass both the real name and the one with the OTP, to ntlm_auth. ntlm_and and AD don't support that use-case.
What you want to do is impossible.
If the users name and password is in SQL, then it's possible. Look up the user in SQL based on the Stripped-User-Name (which is the default). And, do the MS-CHAP calculations based on the real User-Name (which is also the default).
And *don't* modify the User-Name attribute.
Alan DeKok.
More information about the Freeradius-Users
mailing list