Alan DeKok a écrit :
Fabiano wrote:
Can you point me to a document or website where the following mechanism
is described well ?
ie MSCHAPv2 Radius Client -> Freeradius does the MSCHAPv2 challenge ? ->
auth is delegated to external script receiving attributes like username
and password in clear -> external script gives the auth ok answer ->
Freeradius gives the auth accepted answer to the MSCHAPv2 Radius client.
MS-CHAP doesn't work this way. You CANNOT give a cleartext password
to an external script by looking at the MS-CHAP data. It is *impossible*.
Ok, thanks.
The part I don't understand is how does this MSCHAPv2 auth work in
Freeradius, and how the external script could get the attributes when
the MSCHAPv2 challenge password is encrypted ? Does it mean that I have
to implement the MSCHAPv2 challenge auth by myself, entirely in the
external script ?
No. You tell the server what the correct password is, and it does the
MS-CHAP calculations to authenticate the user.
Concerning the cleartext password;
In your previous message, you say : "get it from somewhere" but I can'
figure out how...
A database? You should know what the *correct* password is, otherwise
you don't be able to authenticate the user.
You mean, for example making the OTP script (doing exactly the contrary
of what it actually does) write the password every 10 seconds to a
database for every user and then let freeradius check the db ?
Is this the only way ?
Thanks again !
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
