Strange behaviour of rlm_chap (freeradius 1.1.7+mysql)

Dan Searle dan at adelix.com
Thu Aug 30 16:08:16 CEST 2007 

Hi,

I've been running a free radius server for a while now, but today for
no apparent reason I'm getting a lot of intermittent authentication
failures using the rlm_chap module.

Here's a trace of two login's the first works fine, the second a few
moments later fails, the username and password supplied in both cases
are correct and exactly the same. Can anyone shed any light on this?
I've tried rebuilding the mysql database from scratch, and recompiling
and installing the radius server, but to no avail...

----------------------------------------------------------------------------------------


rad_recv: Access-Request packet from host 81.178.20.107:1024, id=25, length=204
        NAS-Port-Type = Wireless-802.11
        Calling-Station-Id = "00:14:A4:87:DF:FF"
        Called-Station-Id = "rural-ap1"
        NAS-Port-Id = "wlan2"
        User-Name = "dan at adelix.com"
        NAS-Port = 2149580817
        Acct-Session-Id = "80200011"
        Framed-IP-Address = 10.5.50.254
        Mikrotik-Host-IP = 10.5.50.254
        CHAP-Challenge = 0xxxxxx[removed]
        CHAP-Password = 0xxxxxx[removed]
        Service-Type = Login-User
        WISPr-Logoff-URL = "http://10.5.50.1/logout"
        NAS-Identifier = "rural-ap1"
        NAS-IP-Address = 10.0.0.249
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
  modcall[authorize]: module "preprocess" returns ok for request 3
  rlm_chap: Setting 'Auth-Type := CHAP'
  modcall[authorize]: module "chap" returns ok for request 3
    users: Matched entry DEFAULT at line 54
radius_xlat:  '/usr/local/bin/mtauth.pl dan at adelix.com'
  modcall[authorize]: module "files" returns ok for request 3
radius_xlat:  'dan at adelix.com'
rlm_sql (sql): sql_set_user escaped user --> 'dan at adelix.com'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM radcheck           WHERE Username = 'dan at adelix.com'           ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql_mysql: query:  SELECT id, UserName, Attribute, Value, op           FROM radcheck           WHERE Username = 'dan at adelix.com'           ORDER BY id
radius_xlat:  'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE usergroup.Username = 'dan at adelix.com' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query:  SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE usergroup.Username = 'dan at adelix.com' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM radreply           WHERE Username = 'dan at adelix.com'           ORDER BY id'
rlm_sql_mysql: query:  SELECT id, UserName, Attribute, Value, op           FROM radreply           WHERE Username = 'dan at adelix.com'           ORDER BY id
radius_xlat:  'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op  FROM radgroupreply,usergroup WHERE usergroup.Username = 'dan at adelix.com' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query:  SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op  FROM radgroupreply,usergroup WHERE usergroup.Username = 'dan at adelix.com' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 0
  modcall[authorize]: module "sql" returns ok for request 3
modcall: leaving group authorize (returns ok) for request 3
  rad_check_password:  Found Auth-Type CHAP
auth: type "CHAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group CHAP for request 3
  rlm_chap: login attempt by "dan at adelix.com" with CHAP password
  rlm_chap: Using clear text password "xxxxxxx" for user dan at adelix.com authentication.
  rlm_chap: chap user dan at adelix.com authenticated succesfully
  modcall[authenticate]: module "chap" returns ok for request 3
modcall: leaving group CHAP (returns ok) for request 3
Exec-Program output: Session-Timeout=1173, Mikrotik-Xmit-Limit=1073222818, Mikrotik-Recv-Limit=1073515121,
Exec-Program-Wait: value-pairs: Session-Timeout=1173, Mikrotik-Xmit-Limit=1073222818, Mikrotik-Recv-Limit=1073515121,
Exec-Program: returned: 0
Sending Access-Accept of id 25 to 81.178.20.107 port 1024
        Session-Timeout = 1173
        Mikrotik-Xmit-Limit = 1073222818
        Mikrotik-Recv-Limit = 1073515121
Finished request 3

----------------------------------------------------------------------------------------

rad_recv: Access-Request packet from host 81.178.20.107:1024, id=24, length=204
        NAS-Port-Type = Wireless-802.11
        Calling-Station-Id = "00:14:A4:87:DF:FF"
        Called-Station-Id = "rural-ap1"
        NAS-Port-Id = "wlan2"
        User-Name = "dan at adelix.com"
        NAS-Port = 2149580816
        Acct-Session-Id = "80200010"
        Framed-IP-Address = 10.5.50.254
        Mikrotik-Host-IP = 10.5.50.254
        CHAP-Challenge = 0xxxxxx[removed]
        CHAP-Password = 0xxxxxx[removed]
        Service-Type = Login-User
        WISPr-Logoff-URL = "http://10.5.50.1/logout"
        NAS-Identifier = "rural-ap1"
        NAS-IP-Address = 10.0.0.249
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
  modcall[authorize]: module "preprocess" returns ok for request 5
  rlm_chap: Setting 'Auth-Type := CHAP'
  modcall[authorize]: module "chap" returns ok for request 5
    users: Matched entry DEFAULT at line 54
radius_xlat:  '/usr/local/bin/mtauth.pl dan at adelix.com'
  modcall[authorize]: module "files" returns ok for request 5
radius_xlat:  'dan at adelix.com'
rlm_sql (sql): sql_set_user escaped user --> 'dan at adelix.com'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM radcheck           WHERE Username = 'dan at adelix.com'           ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql_mysql: query:  SELECT id, UserName, Attribute, Value, op           FROM radcheck           WHERE Username = 'dan at adelix.com'           ORDER BY id
radius_xlat:  'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE usergroup.Username = 'dan at adelix.com' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query:  SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE usergroup.Username = 'dan at adelix.com' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM radreply           WHERE Username = 'dan at adelix.com'           ORDER BY id'
rlm_sql_mysql: query:  SELECT id, UserName, Attribute, Value, op           FROM radreply           WHERE Username = 'dan at adelix.com'           ORDER BY id
radius_xlat:  'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op  FROM radgroupreply,usergroup WHERE usergroup.Username = 'dan at adelix.com' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query:  SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op  FROM radgroupreply,usergroup WHERE usergroup.Username = 'dan at adelix.com' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 3
  modcall[authorize]: module "sql" returns ok for request 5
modcall: leaving group authorize (returns ok) for request 5
  rad_check_password:  Found Auth-Type CHAP
auth: type "CHAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group CHAP for request 5
  rlm_chap: login attempt by "dan at adelix.com" with CHAP password
  rlm_chap: Using clear text password "xxxxxxx" for user dan at adelix.com authentication.
  rlm_chap: Password check failed
  modcall[authenticate]: module "chap" returns reject for request 5
modcall: leaving group CHAP (returns reject) for request 5
auth: Failed to validate the user.


----------------------------------------------------------------------------------------


--

Dan Searle
Adelix Ltd
dan.searle at adelix.com web: www.adelix.com
tel: 0845 230 9590 / fax: 0845 230 9591 / support: 0845 230 9592
snail: The Old Post Office, Bristol Rd, Hambrook, Bristol BS16 1RY. UK.

Adelix Ltd is a registered company in England & Wales No. 4232156
VAT registration number 779 4232 91
Adelix Ltd is BS EN ISO 9001:2000 Certified (No. GB 12763)

Any views expressed in this email communication are those
of the individual sender, except where the sender specifically states
them to be the views of a member of Adelix Ltd.  Adelix Ltd. does not
represent, warrant or guarantee that the integrity of this communication
has been maintained nor that the communication is free of errors or
interference.


------------------------------------------------------------------------------------
Scanned for viruses, spam and offensive content by CensorNet MailSafe

Professional Web & E-mail Filtering from www.censornet.com

More information about the Freeradius-Users mailing list