Detect MSCHAPv2 inner-tunnel state

Gary Gwin garygwin at
Sat Sep 22 19:23:00 CEST 2018

The attached radius.log shows successful EAP-PEAP/MSCHAPv2 authentication
using a Windows 10 client and Meraki access point with FreeRADIUS 3.0.17.
An inner-tunnel Python script uses an API to get the NT hash and sets the
NT-Password within authorize. The standard authenticate MS-CHAP module then

During the chatty inner-tunnel MSCHAPv2 negotiation, the get NT hash API is
invoked twice in requests 7 and 8, which works, but with unnecessary script
and API load. I can eliminate the second invocation in step 8 by checking
the request EAP-Message for length. That feels fragile. There must be a
better way to detect state to determine we're in request 8.

Any recommendations?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: radius.log
Type: application/octet-stream
Size: 56530 bytes
Desc: not available
URL: <>

More information about the Freeradius-Users mailing list