Chap Challenge Failing

Joseph Showalter Tech at ekn.com
Fri Apr 11 14:10:15 CEST 2014 

Thanks for your answerers - see comments below:

On Apr 10, 2014, at 9:20 PM, Alan DeKok <aland at deployingradius.com> wrote:

> Joseph Showalter wrote:
>> # freeradius -v
>> freeradius: FreeRADIUS Version 2.1.12
> 
>  <sigh>  I wish vendors would use a recent version.

I am willing to do that... But running the latest version that Debian stable gives me :)
Anything newer requires a compile and that takes a bit of study for me.

> 
>> We have a puzzling issue with CHAP Authentication:
>> 
>> 
>> Using radtest like this works:
>> 
>> radtest -d /etc/freeradius/ -t chap "6064191000 at ev.myawi.com" "6D464023735E40604457225169645C69" 127.0.0.1 1812 xxxxxx
> 
>  It uses the same library as the server.  So that isn't much of a test.

OK, good to know...

> 
>> But when a real live device request comes in, it fails:
>> 
>> This should be allowed but is rejected:
>> Using md5 hashing, we have confirmed that it is accurate:
> 
>  What does that mean?  The CHAP algorithm requires specific steps done
> in a specific order.  Are you sure you did them all correctly?  What
> values did you use?

Well, I am no expert here, but in this case, the SIM vendor has taken pcap files, and double checked this.

> 
>> Apr 10 15:24:22 2014 : Info: [chap] Using clear text password "325C7727326B6176362A324754623247" for user 6064191000 at ev.myawi.com authentication.
>> Thu Apr 10 15:24:22 2014 : Info: [chap] Password check failed
> 
>  That's pretty definitive.
> 
>  You can believe (a) FreeRADIUS is wrong, and therefore millions of
> people can't use CHAP, or (b) the vendor got it wrong, or (c) you
> mis-typed the password on one or both ends.
> 
>  (c) is most likely.  (b) much less so.  (a) is almost impossible.

We love FR. And don't want to think thats the problem.
But we are very puzzled.
I am putting the exact same password in the SIM as you see in the users file.
And then testing with radtest and testing with winntrad test, it seems so strange that only the SIM is failing.

It is definitely using challenge/response when using the SIM.


> 
>  I've seen vendors get basic RADIUS concepts wrong, and take years to
> fix them.  But FreeRADIUS works with thousands of vendors equipment, for
> hundreds of millions of users, every single day.  It's pretty much
> impossible for it to get the CHAP calculation wrong.
> 
> 
>  I tried your packet as a test case with radclient:
> 
> # file "chap"
> User-Name = "6064191000 at ev.myawi.com"
> CHAP-Password = 0xa7737618eb2d4f46a3945215a989923560
> CHAP-Challenge = 0x5072685c0183c07d006ff00c160671a0
> 
> $ /radclient -d ../../share/ -f chap -xx localhost auth testing123
> 
>  And version 3 says (after some minor editing of output)
> 
> chap : Login attempt by "6064191000 at ev.myawi.com" with CHAP password
> chap : Comparing with "known good" Cleartext-Password
> "6D464023735E40604457225169645C69"
> chap :     chap challenge  dbad48a07b45dc16a42806283bfa3432
> chap :     client sent     b39a3d7fb573cdf16e506df74cd4cbe0
> chap :     we calculated   a7487911f7f12c921538b4af618f6396
> chap : Password is comparison failed: password is incorrect
> 
> 
>  It doesn't match.  So the passwords are wrong, or the vendor doesn't
> calculate the CHAP-Password correctly.
> 
>  And WHY is everyone so quick to publicly blame FreeRADIUS, but then
> keep the vendors name a secret?  WHICH vendor is it?  What equipment?
> Make, model firmware?  All that could be helpful.
> 
>  Alan DeKok.
> 
The vendor here is an 3G handset, using a Gemalto SIM card, with a backbone of Ericsson equipment.

Shall I do a new pcap and test?
Do you think FR 3 would make any difference? 
I figured CHAP is around long enough there would not be any changes in newer releases?

--
respectfully, Joseph | IT

More information about the Freeradius-Users mailing list