How to use CHAP?
Karuna G. Kumar
karuna.kumar at indscape.com
Wed Jun 9 12:23:54 CEST 2010
Alan,
Thanks for your response. As you suggested, I used radclient command to test the CHAP. Now the server sends Access-Accept.
But, what I observed is that the problem araises again even with radclient when I send User-Password attribute along with CHAP-Password attribute in the request. There is no problem when I don't send User-Password with CHAP-Password. Any thoughts on this why it is happening like this? I am attaching the Access packet info below for both success and failure cases.
Success case:
=============
Sending Access-Request of id 168 to 127.0.0.1 port 1812
User-Name = "steve"
Acct-Session-Id = "001"
NAS-Identifier = "NASIDTest"
NAS-IP-Address = 192.168.1.120
Called-Station-Id = "called"
Calling-Station-Id = "caller"
NAS-Port = 1234
NAS-Port-Type = Ethernet
CHAP-Password = 0xa88b83c43dd3fc20c67f3566f12ebb4958
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=168, length=71
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 172.16.3.33
Framed-IP-Netmask = 255.255.255.0
Framed-Routing = Broadcast-Listen
Filter-Id = "std.ppp"
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
server logs
-----------
Found Auth-Type = CHAP
+- entering group CHAP {...}
[chap] login attempt by "steve" with CHAP password
[chap] Using clear text password "testing" for user steve authentication.
[chap] chap user steve authenticated succesfully
++[chap] returns ok
Failure case
============
Sending Access-Request of id 109 to 127.0.0.1 port 1812
User-Name = "steve"
Acct-Session-Id = "001"
NAS-Identifier = "NASIDTest"
NAS-IP-Address = 192.168.1.120
Called-Station-Id = "called"
Calling-Station-Id = "caller"
NAS-Port = 1234
NAS-Port-Type = Ethernet
CHAP-Password = 0x74657374696e67
User-Password = "testing"
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=109, length=20
server logs:
------------
Found Auth-Type = CHAP
+- entering group CHAP {...}
[chap] rlm_chap: password supplied has wrong length
++[chap] returns invalid
Failed to authenticate the user.
Regards,
Karun.
-----Original Message-----
From: freeradius-users-bounces+karuna.kumar=indscape.com at lists.freeradius.org on behalf of Alan DeKok
Sent: Wed 6/9/2010 3:26 PM
To: FreeRadius users mailing list
Cc:
Subject: Re: How to use CHAP?
Karuna G. Kumar wrote:
> I want to use CHAP for authenticating the user. When I am sending CHAP-Password to FreeRADIUS, I am getting the following error.
>
> Found Auth-Type = CHAP
> +- entering group CHAP {...}
> [chap] rlm_chap: password supplied has wrong length
Your RADIUS client does not implement RADIUS.
...
> CHAP-Password = 0x74657374696e67
It is sending *ASCII* for the CHAP-Password. It needs to implement
the CHAP protocol.
Use a real RADIUS client, like radclient.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 4161 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100609/c7acfc05/attachment.bin>
More information about the Freeradius-Users
mailing list