Auth-Type := Accept - CHAP problems

Thomas Buchberger buchberger at nefonline.de
Tue Aug 19 17:12:01 CEST 2008 

Hi @ll,

we're playing with the freeradius features and are getting confused in
the way it behaves:
We have several different Users in user-files which works fine.
Now we want that the radius always answers with OK and no more "Login
incorrect" - but with other Options than a correct user.

We appended in the config:
DEFAULT        Auth-Type := Accept
    ... various Options
    ...

This works with PAP/CHAP, when the user is not listed in a users file.
It also works with PAP when the user is in a list, but not with CHAP!

Is there a way to realize this?

Debug says:
rad_recv: Access-Request packet from host XXX:XX, id=114, length=263
        User-Name = "XXX"
        Acct-Session-Id = "XXX"
        CHAP-Password = XXX
        CHAP-Challenge = XXX
        Service-Type = Framed-User
        Framed-Protocol = PPP
        ERX-Pppoe-Description = "XXX"
        Calling-Station-Id = "XXX"
        NAS-Port-Type = Ethernet
        NAS-Port = XXX
        NAS-Port-Id = "XXX"
        NAS-IP-Address = XXX
        NAS-Identifier = "XXX"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 10
  modcall[authorize]: module "preprocess" returns ok for request 10
  rlm_chap: Setting 'Auth-Type := CHAP'
  modcall[authorize]: module "chap" returns ok for request 10
    rlm_realm: No '@' in User-Name = "XXX", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 10
    users: Matched entry DEFAULT at line 2
  modcall[authorize]: module "files" returns ok for request 10
rlm_pap: WARNING! No "known good" password found for the user. 
Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 10
modcall: leaving group authorize (returns ok) for request 10
  Found Autz-Type autz_DSL_B
  Processing the authorize section of radiusd.conf
modcall: entering group autz_DSL_B for request 10
    users: Matched entry XXX at line 335992
  modcall[authorize]: module "autzfile_DSL_B" returns ok for request 10
modcall: leaving group autz_DSL_B (returns ok) for request 10
  rad_check_password:  Found Auth-Type CHAP
auth: type "CHAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group CHAP for request 10
  rlm_chap: login attempt by "XXX" with CHAP password
  rlm_chap: Using clear text password "XXX" for user XXX authentication.
  rlm_chap: Password check failed
  modcall[authenticate]: module "chap" returns reject for request 10
modcall: leaving group CHAP (returns reject) for request 10
auth: Failed to validate the user.

-- 
Thomas Buchberger

More information about the Freeradius-Users mailing list