CHAP-Challenge Question

Jeremiah mis at airmail.net
Thu Mar 10 21:48:22 CET 2011


We are using freeradius 2.1.10.

We are using a Mikrotik as a nas and trying to use CHAP for hotspot 
access.  I have a test user setup and can use ntradping to Access-Accept 
back.
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 174.57.91.24 port 1026, id=7, 
length=52
         User-Name = "testwifi"
         CHAP-Password = 0xe89981fe6bf05bf6af662769cbb1a084f8
# Executing section authorize from file /opt/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[sql]   expand: %{User-Name} -> testwifi
[sql] sql_set_user escaped user --> 'testwifi'
[sql] User found in radcheck table
++[sql] returns ok
++[mschap] returns noop
Found Auth-Type = CHAP
# Executing group from file /opt/etc/raddb/sites-enabled/default
+- entering group CHAP {...}
[chap] login attempt by "testwifi" with CHAP password
[chap] Using clear text password "testblah" for user testwifi 
authentication.
[chap] chap user testwifi authenticated succesfully
++[chap] returns ok
Login OK: [testwifi] (from client mikrotik port 0)
# Executing section post-auth from file /opt/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 7 to 174.57.91.24 port 1026
         Mikrotik-Rate-Limit := "256k/512k"
         Session-Timeout += 120
Finished request 1.
Going to the next request

When a request comes in from the Tik , it adds a CHAP challenge and the 
Chap password obviously is differejt and the request fails.

rad_recv: Access-Request packet from host 203.45.185.115 port 33303, 
id=6, length=246
         NAS-Port-Type = Wireless-802.11
         Calling-Station-Id = "00:12:AB:36:3E:0C"
         Called-Station-Id = "server1"
         NAS-Port-Id = "bridge1"
         User-Name = "testwifi"
         MS-CHAP-Domain = "wifi.net"
         NAS-Port = 2157969420
         Acct-Session-Id = "80a0000c"
         Framed-IP-Address = 192.168.10.246
         Mikrotik-Host-IP = 192.168.10.246
         CHAP-Challenge = 0xf3663a1617d0a1d2537c157ee4ef1e77
         CHAP-Password = 0xedcbec473f0529359a785e47ada0e0b23e
         Service-Type = Login-User
         WISPr-Logoff-URL = "http://0.0.0.0/logout"
         NAS-Identifier = "MikroTik"
         NAS-IP-Address = 203.45.185.115
         Mikrotik-Realm = "wifi.net"
# Executing section authorize from file /opt/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[sql]   expand: %{User-Name} -> testwifi
[sql] sql_set_user escaped user --> 'testwifi'
[sql] User found in radcheck table
++[sql] returns ok
++[mschap] returns noop
Found Auth-Type = CHAP
# Executing group from file /opt/etc/raddb/sites-enabled/default
+- entering group CHAP {...}
[chap] login attempt by "testwifi" with CHAP password
[chap] Using clear text password "testblah" for user testwifi 
authentication.
[chap] Password check failed
++[chap] returns reject
Failed to authenticate the user.
Login incorrect (rlm_chap: Wrong user password): 
[testwifi/<CHAP-Password>] (from client mikrotik port 2157969420 cli 
00:12:AB:36:3E:0C)
Using Post-Auth-Type Reject
# Executing group from file /opt/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> testwifi
  attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 22 for 1 seconds
Going to the next request
Waking up in 0.3 seconds.

What basic element am I failing to understand?  If the chap challenge 
string is sent in, should freeradius be able to use that with the 
chap-password to accept the user?

Thanks

Jeremiah



More information about the Freeradius-Users mailing list