Detect MSCHAPv2 inner-tunnel state
Gary Gwin
garygwin at gmail.com
Sat Sep 22 19:23:00 CEST 2018
The attached radius.log shows successful EAP-PEAP/MSCHAPv2 authentication
using a Windows 10 client and Meraki access point with FreeRADIUS 3.0.17.
An inner-tunnel Python script uses an API to get the NT hash and sets the
NT-Password within authorize. The standard authenticate MS-CHAP module then
handles.
During the chatty inner-tunnel MSCHAPv2 negotiation, the get NT hash API is
invoked twice in requests 7 and 8, which works, but with unnecessary script
and API load. I can eliminate the second invocation in step 8 by checking
the request EAP-Message for length. That feels fragile. There must be a
better way to detect state to determine we're in request 8.
Any recommendations?
Thanks,
Gary
-------------- next part --------------
A non-text attachment was scrubbed...
Name: radius.log
Type: application/octet-stream
Size: 56530 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20180922/fd45ad84/attachment-0001.obj>
More information about the Freeradius-Users
mailing list