Freeradius External Script Auth.

Vertigo Vertigo vertigo.altair at
Thu Feb 6 18:35:51 CET 2020

Hi Freeradius people,
I want to authorize users that connect to AP with my external script.
Because I have multiple data source ( multiple Active Directory, another
API etc.) and I want to make authorization by using these data sources as I
want. That's why I'm using an external script to authorization. I updated
/etc/raddb/sites-enabled/default's authorize section;


update {

control: += `/usr/bin/myauthscript '%{User-Name}' '%{User-Password}' -c`

reply: += `/usr/bin/myauthscript '%{User-Name}' '%{User-Password}' -v`


When I run "radtest" with PAP method, everything is OK, I have "User-Name"
and "User-Password" attributes,  I'm able to authorize users etc. However,
when I make tests with an AP with 802.1x EAP method, , there is no
cleartext password (User-Password) and I cannot make authorization. My
question is how can I make authorization without "User-Password" attribute.
As I said, I have cleartext passwords in my data sources, so I can hash
them and compare with other hash that a client sent. How can I perform this
operation with EAP, CHAP, MSCHAP etc. methods?

More information about the Freeradius-Users mailing list