Freeradius and external script authentication using CHAP / MS-CHAP
I am using Freeradius to authenticate users through an external script, as shown here , that returns Accept or Reject when passed in a username and password pair.
authorize{
update control {
Auth-Type := `/usr/bin/php -f /etc/raddb/yourscript.php '%{User-Name}' '%{User-Password}' '%{Client-IP-Address}'`
}
This works as expected when the client is using PAP. The password is sent to %{User-Password}
.
However, when using CHAP or MS-CHAP, it does not work because it %{User-Password}
remains empty.
How can I get the cleartext password to send to my script? Alternatively, is there any other way to support CHAP / MS-CHAP?
source to share
The field %{CHAP-Password}
contains a hash of the password and a challenge, which is some magic number.
The field %{CHAP-Challenge}
contains the call used in this session.
While you cannot get the cleartext password from this in live real-time, if you have the cleartext password you can use it with the CHAP-Challenge as shown here using md5. This should then equal your CHAP-Password value.
source to share