Freeradius External Script Auth.

Lang, Russell Russell.Lang at
Fri Feb 7 06:11:19 CET 2020

We used to do this, but moved away from it.  Our external program was a python script, and the startup time for each authentication for too long.

If you must do 802.1x EAP using this method, then note that EAP is handled by default site, while MSCHAP is handled by inner-tunnel site.  In the inner-tunnel, you can exec a program and give it the MSCHAP challenge and response, validate that against NT-Password that you have stored, and return the NT session key back to FreeRADIUS.  This involves implementing MSCHAP code that already exists in FreeRADIUS.

The simpler alternative that we are now using is to call a REST API from FreeRADIUS during authorisation (really pre-auth) and return the NT-Password, letting FreeRADIUS do all the EAP / PAP / MSCHAPv2 stuff during authentication.
See my previous emails to this list on rlm_rest, but note that some of the information I wrote I have now discovered wasn't correct.

Russell Lang

-----Original Message-----
From: Freeradius-Users < at> On Behalf Of Vertigo Vertigo
Sent: Friday, 7 February 2020 04:36
To: freeradius-users at
Subject: Freeradius External Script Auth.

[External Email] This email was sent from outside the organisation – be cautious, particularly with links and attachments.

Hi Freeradius people,
I want to authorize users that connect to AP with my external script.
Because I have multiple data source ( multiple Active Directory, another API etc.) and I want to make authorization by using these data sources as I want. That's why I'm using an external script to authorization. I updated /etc/raddb/sites-enabled/default's authorize section;


update {

control: += `/usr/bin/myauthscript '%{User-Name}' '%{User-Password}' -c`

reply: += `/usr/bin/myauthscript '%{User-Name}' '%{User-Password}' -v`


When I run "radtest" with PAP method, everything is OK, I have "User-Name"
and "User-Password" attributes,  I'm able to authorize users etc. However, when I make tests with an AP with 802.1x EAP method, , there is no cleartext password (User-Password) and I cannot make authorization. My question is how can I make authorization without "User-Password" attribute.
As I said, I have cleartext passwords in my data sources, so I can hash them and compare with other hash that a client sent. How can I perform this operation with EAP, CHAP, MSCHAP etc. methods?
List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list