Detect MSCHAPv2 inner-tunnel state
Gary Gwin
garygwin at gmail.com
Wed Sep 26 20:17:28 CEST 2018
Hi Matthew,
Using the session-state list worked, thanks! Here's what I did. In the
inner-tunnel authorize section:
eap {
ok = return
}
update request {
&Tmp-String-2 := &outer.session-state:Tmp-String-2
}
rlm_my_module
update {
&outer.session-state:Tmp-String-2 := &config:NT-Password
}
I inspect Tmp-String-2 in rlm_my_module and, if populated, do not call the
API to get the NT hash again. I noticed, however, the following in the
post-auth section:
(9) post-auth {
(9) update {
(9) &reply::Tmp-String-2 += &session-state:Tmp-String-2[*] ->
'0x3143394634423634423245394643353832433234464232444145463636393732'
(9) } # update = noop
Any concerns or suggestions?
Thanks again,
Gary
On Sat, Sep 22, 2018 at 12:32 PM Matthew Newton <mcn at freeradius.org> wrote:
> On 22 September 2018 18:23:00 BST, Gary Gwin <garygwin at gmail.com> wrote:
> >During the chatty inner-tunnel MSCHAPv2 negotiation, the get NT hash
> >API is
> >invoked twice in requests 7 and 8, which works, but with unnecessary
> >script
> >and API load. I can eliminate the second invocation in step 8 by
> >checking
> >the request EAP-Message for length. That feels fragile. There must be a
> >better way to detect state to determine we're in request 8.
>
> Put the hash in the session-state list, but only if it's not already there?
>
>
> --
> Matthew
>
More information about the Freeradius-Users
mailing list