Freeradius and external script authentication using CHAP / MS-CHAP

Question

Freeradius and external script authentication using CHAP / MS-CHAP

I am using Freeradius to authenticate users through an external script, as shown here , that returns Accept or Reject when passed in a username and password pair.

authorize{
    update control { 
        Auth-Type := `/usr/bin/php -f /etc/raddb/yourscript.php '%{User-Name}' '%{User-Password}' '%{Client-IP-Address}'`
    }

This works as expected when the client is using PAP. The password is sent to %{User-Password}

.

However, when using CHAP or MS-CHAP, it does not work because it %{User-Password}

remains empty.

How can I get the cleartext password to send to my script? Alternatively, is there any other way to support CHAP / MS-CHAP?

+3

authentication php freeradius

Pranab Apr 20 '15 at 3:49

source to share

1 answer

Pranab · Answer 1 · 2015-04-21T04:50:43+0000

The field %{CHAP-Password}

contains a hash of the password and a challenge, which is some magic number.

The field %{CHAP-Challenge}

contains the call used in this session.

While you cannot get the cleartext password from this in live real-time, if you have the cleartext password you can use it with the CHAP-Challenge as shown here using md5. This should then equal your CHAP-Password value.

Freeradius and external script authentication using CHAP / MS-CHAP

More articles: