Fabiano wrote: > Can you point me to a document or website where the following mechanism > is described well ? > > ie MSCHAPv2 Radius Client -> Freeradius does the MSCHAPv2 challenge ? -> > auth is delegated to external script receiving attributes like username > and password in clear -> external script gives the auth ok answer -> > Freeradius gives the auth accepted answer to the MSCHAPv2 Radius client.
MS-CHAP doesn't work this way. You CANNOT give a cleartext password to an external script by looking at the MS-CHAP data. It is *impossible*. > The part I don't understand is how does this MSCHAPv2 auth work in > Freeradius, and how the external script could get the attributes when > the MSCHAPv2 challenge password is encrypted ? Does it mean that I have > to implement the MSCHAPv2 challenge auth by myself, entirely in the > external script ? No. You tell the server what the correct password is, and it does the MS-CHAP calculations to authenticate the user. > Concerning the cleartext password; > In your previous message, you say : "get it from somewhere" but I can' > figure out how... A database? You should know what the *correct* password is, otherwise you don't be able to authenticate the user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
