SSO Active Directory via RADIUS using PAP

giovanni-bellini-arg · March 6, 2026, 3:04pm

As of today the only method supported for authentication by the Active Directory SSO is PAP/SPAP which are unencrypted, meaning the password is sent in clear from the pritunl server to the RADIUS server.

my proposal is to implement the more secure EAP MS-CHAPv2 auth method.

zach · March 8, 2026, 1:22am

There isn’t any good support in Python for RADIUS with EAP MS-CHAPv2. Most Active Directory installations have transitioned to Microsoft Entra which is supported in Pritunl. It could be done with the plugin system by adding the file /var/lib/pritunl/plugins/radius.py.

from pritunl import settings
from pritunl import logger

# [SYNCHRONOUS] Called on user login must return True or False and an
# organization name that the user will be added to. The organization name must
# be included. Also called on each user connection. This plugin is used to
# support user logins with credentials from other systems. The user_name and
# password must be verified in the plugin, no other authentication will be
# checked.
def user_authenticate(host_id, host_name, user_name, password, remote_ip,
        **kwargs):
    logger.info('RADIUS plugin authenticate', 'plugin',
        host_id=host_id,
        host_name=host_name,
        user_name=user_name,
        remote_ip=remote_ip,
        sso=settings.app.sso,
        sso_radius_host=settings.app.sso_radius_host,
        sso_radius_secret=settings.app.sso_radius_secret,
        sso_radius_timeout=settings.app.sso_radius_timeout,
        sso_radius_prefix=settings.app.sso_radius_prefix,
    )

    if AUTH_OK:
        return True, 'organization_name', ['group', 'names']
    else:
        return False, None, None

giovanni-bellini-arg · March 9, 2026, 1:44pm

Thanks for the answer and the example,
though the approach you suggested dosen’t permit the usage of EAP-TSL which makes use of certificates instead of a password.

is there a way to implement it via plugins?

zach · March 10, 2026, 2:27pm

There doesn’t appear to be any Python library for that method of authentication. If you can find code that will do it, it can be added to a plugin.

giovanni-bellini-arg · March 11, 2026, 9:07am

what i mean is

via pritunl plugin i don’t see any way to implement the tls handshake needed for the EAP-TLS between the RADIUS server and the client.

i would like to provide the certificate needed for the handshake to the client and then use pritunl to make the auth.

apart from the implementation of the protocol in python my questions are

can i pass the certs from the client to the pritunl server
1. if yes how do i use them in the plugins, i don’t see any arguments for that
2. if not, is there an alternative way to implement the certificate exchange needed for the authentication?

zach · March 11, 2026, 3:44pm

I don’t think that would be possible.