freeradius, problem with chap ?

Alan DeKok aland at deployingradius.com
Sun Dec 4 11:58:26 CET 2011


Piotr wrote:
> I changed type of  authentication,on cisco asa, to PAP:

  OK..

> but i don't know why i stil get on FR:

  CHAP.  Go find out why the Cisco box isn't taking instructions.

> [pap] WARNING! No "known good" password found for the user.
> Authentication may fail because of this.

  That should be pretty obvious.

> [files]         expand: /usr/local/bin/otp4freeradius.sh '%{User-Name}'
> '%{User-Password}' '%{reply:Secret}' '%{reply:Pin}' '%{reply:Offset}' ->
> /usr/local/bin/otp4freeradius.sh 'popo3' '' '' '' ''

  Uh... that really won't work at all.  What's a "reply:Secret"?  Did
you define the attribute yourself?

  And even if you did, the problem is on the NAS.  Fix it so it sends
CHAP.  This isn't a FreeRADIUS problem.

> FR try to authenticate via CHAP.

  ABSOLUTELY NOT.

  FreeRADIUS *receives* a request with CHAP password.  The NAS sends it.

  I have no idea why this misunderstanding is so widespread.  The NAS
sends a packet, FreeRADIUS prints it out, and tons of people claim that
FreeRADIUS has created the content of the packet.

  It's astonishing.  Fix that misunderstanding, and most everything else
becomes easy.

  Alan DeKok.



More information about the Freeradius-Users mailing list