MSCHAPv2 Module with Stripped-Username - no ActiveDirectory

Markus Maurer lists at v-net.tk
Sun Nov 11 18:14:30 CET 2018 

I just need an external script which makes the mschap calculation, thats all, so I could use a stripped username

> Am 11.11.2018 um 18:10 schrieb Markus Maurer <lists at v-net.tk>:
> 
> I got this working on an other system which is bound to an active directory. The only difference is that I‘m using ntlm_auth in the eap module and in the ntlm_auth command I can use the stripped-username attribute. How it works?
> The first step: check *only* the otp over rlm_perl.
> If this success:
> The second step: exec the eap module and use ntlm_auth with the stripped-username.
> 
> 
> 
>>> Am 11.11.2018 um 17:46 schrieb Alan DeKok <aland at deployingradius.com>:
>>> 
>>> On Nov 11, 2018, at 10:57 AM, Markus Maurer <lists at v-net.tk> wrote:
>>> 
>>> The problem is that the user is stored in database as following: <username> <password>
>>> And the request comes with <username>:<otp> <password>.
>>> So I have to strip the username to verify against the database. I just need something to use eap mschapv2 with a stripped-username or a an external program like ntlm_auth without AD binding which could be executed in the eap module
>> 
>> You can't strip the User-Name and expect that ntlm_auth will work.  Again, the MS-CHAP calculations are done on the full username as supplied by the user.  Which in this case, includes the OTP.
>> 
>> Since AD works on the *real name*, and not the *name with the OTP*, you can't pass both the real name and the one with the OTP, to ntlm_auth.  ntlm_and and AD don't support that use-case.
>> 
>> What you want to do is impossible.
>> 
>> If the users name and password is in SQL, then it's possible.  Look up the user in SQL based on the Stripped-User-Name (which is the default).  And, do the MS-CHAP calculations based on the real User-Name (which is also the default).
>> 
>> And *don't* modify the User-Name attribute.
>> 
>> Alan DeKok.
>> 
>> 
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list