chap authenticatin fail

Yukou Katori yukou.katori at yahoo.com
Thu Nov 12 16:58:06 CET 2015 

Hi,

Sorry for my basic question though, I'm setting up chap-md5
authentication FreeRadius3 with traffic tester (Spirent).
But authentication failed.

[topo]
tester ----- (pppoe) --- authenticator --- (radius) --- FR3

[issue]
         <-pppoe, lcp -> OK
         <------------------- challenge
         -------------------> response ------------------> radius rewuest
                                                         <------
radius reject!!!

I tried local test with "radtest -x -4 -t chap user1 at yk testing!
127.0.0.1 1812 testing123", and it worked (authenticaton success).

On the tester, I configured "user at yk" as ID and "testing!" as PW and
"chap md5 authenticaton" as method.

Then I saw chap failure as follows (summary by wireshark):
Sending challenge : Challenge (NAME='R3', VALUE=0x457e20c349a6c2bd)
Response challenge :  Response (NAME='user1 at yk',
VALUE=0x9e913a644c3c15e78d31a540f5d8e90b)
Sending Radius-Req : Access-Request(1) (id=58, l=77)
Responding Radius-Rej : Access-Reject(3) (id=58, l=20)

>From debug:
Fri Nov 13 00:08:28 2015 : Debug: (0) Found Auth-Type = CHAP
Fri Nov 13 00:08:28 2015 : Debug: (0) # Executing group from file
/usr/local/etc/raddb/sites-enabled/default
Fri Nov 13 00:08:28 2015 : Debug: (0)   Auth-Type CHAP {
Fri Nov 13 00:08:28 2015 : Debug: (0)     modsingle[authenticate]:
calling chap (rlm_chap) for request 0
Fri Nov 13 00:08:28 2015 : ERROR: (0) chap:
&control:Cleartext-Password is required for authentication
Fri Nov 13 00:08:28 2015 : Debug: (0)     modsingle[authenticate]:
returned from chap (rlm_chap) for request 0
Fri Nov 13 00:08:28 2015 : Debug: (0)     [chap] = fail
Fri Nov 13 00:08:28 2015 : Debug: (0)   } # Auth-Type CHAP = fail
Fri Nov 13 00:08:28 2015 : Debug: (0) Failed to authenticate the user
Fri Nov 13 00:08:28 2015 : Auth: (0) Login incorrect (chap:
&control:Cleartext-Password is required for authentication):
[user1 at yk] (from client R3 port 0)

Of course, I set "Cleartext-Password" Home$raddb/users too.
I tried lots of combination on it, so I omit the configuraton of it.

What does "ERROR: (0) chap: &control:Cleartext-Password is required
for authentication" mean first of all... I made sure to configure
"Cleartext-Password".

I just thought if each PW between pppoe client and server is
identical, that works successfully as chap authentication.
Is there any parameter I should care about when configuring chap authentication?

Regards,

yk

More information about the Freeradius-Users mailing list