Freeradius External Script Auth.

Alan DeKok aland at
Thu Feb 6 20:15:33 CET 2020

On Feb 6, 2020, at 12:35 PM, Vertigo Vertigo <vertigo.altair at> wrote:
> I want to authorize users that connect to AP with my external script.
> Because I have multiple data source ( multiple Active Directory, another
> API etc.) and I want to make authorization by using these data sources as I
> want.

  FreeRADIUS can do some pretty complex things with unlang.  I'd really recommend using that.

> That's why I'm using an external script to authorization. I updated
> /etc/raddb/sites-enabled/default's authorize section;

  That's good.  But...

> When I run "radtest" with PAP method, everything is OK, I have "User-Name"
> and "User-Password" attributes,  I'm able to authorize users etc. However,
> when I make tests with an AP with 802.1x EAP method, , there is no
> cleartext password (User-Password) and I cannot make authorization.


> My
> question is how can I make authorization without "User-Password" attribute.

  It's impossible.

> As I said, I have cleartext passwords in my data sources, so I can hash
> them and compare with other hash that a client sent. How can I perform this
> operation with EAP, CHAP, MSCHAP etc. methods?

  You will need to re-implement all of EAP, CHAP, and MS-CHAP in your data source.

  Or, treat the data source as a *database*.  And have it supply the clear text password to FreeRADIUS.  It will then do all of the necessary calculations.

  In short: FreeRADIUS is an authentication server, not a database.  And a database isn't an authentication server.  They do very different things.

  Alan DeKok.

More information about the Freeradius-Users mailing list