Chap Challenge Failing

Alan DeKok aland at deployingradius.com
Fri Apr 11 03:20:43 CEST 2014 

Joseph Showalter wrote:
> # freeradius -v
> freeradius: FreeRADIUS Version 2.1.12

  <sigh>  I wish vendors would use a recent version.

> We have a puzzling issue with CHAP Authentication:
> 
> 
> Using radtest like this works:
> 
> radtest -d /etc/freeradius/ -t chap "6064191000 at ev.myawi.com" "6D464023735E40604457225169645C69" 127.0.0.1 1812 xxxxxx

  It uses the same library as the server.  So that isn't much of a test.

> But when a real live device request comes in, it fails:
> 
> This should be allowed but is rejected:
> Using md5 hashing, we have confirmed that it is accurate:

  What does that mean?  The CHAP algorithm requires specific steps done
in a specific order.  Are you sure you did them all correctly?  What
values did you use?

> Apr 10 15:24:22 2014 : Info: [chap] Using clear text password "325C7727326B6176362A324754623247" for user 6064191000 at ev.myawi.com authentication.
> Thu Apr 10 15:24:22 2014 : Info: [chap] Password check failed

  That's pretty definitive.

  You can believe (a) FreeRADIUS is wrong, and therefore millions of
people can't use CHAP, or (b) the vendor got it wrong, or (c) you
mis-typed the password on one or both ends.

  (c) is most likely.  (b) much less so.  (a) is almost impossible.

  I've seen vendors get basic RADIUS concepts wrong, and take years to
fix them.  But FreeRADIUS works with thousands of vendors equipment, for
hundreds of millions of users, every single day.  It's pretty much
impossible for it to get the CHAP calculation wrong.


  I tried your packet as a test case with radclient:

# file "chap"
User-Name = "6064191000 at ev.myawi.com"
CHAP-Password = 0xa7737618eb2d4f46a3945215a989923560
CHAP-Challenge = 0x5072685c0183c07d006ff00c160671a0

$ /radclient -d ../../share/ -f chap -xx localhost auth testing123

  And version 3 says (after some minor editing of output)

chap : Login attempt by "6064191000 at ev.myawi.com" with CHAP password
chap : Comparing with "known good" Cleartext-Password
"6D464023735E40604457225169645C69"
chap :     chap challenge  dbad48a07b45dc16a42806283bfa3432
chap :     client sent     b39a3d7fb573cdf16e506df74cd4cbe0
chap :     we calculated   a7487911f7f12c921538b4af618f6396
chap : Password is comparison failed: password is incorrect


  It doesn't match.  So the passwords are wrong, or the vendor doesn't
calculate the CHAP-Password correctly.

  And WHY is everyone so quick to publicly blame FreeRADIUS, but then
keep the vendors name a secret?  WHICH vendor is it?  What equipment?
Make, model firmware?  All that could be helpful.

  Alan DeKok.

More information about the Freeradius-Users mailing list