chap authentication with v4

FRANKS, Andy (SHREWSBURY AND TELFORD HOSPITAL NHS TRUST) andy.franks1 at nhs.net
Wed Jul 22 10:58:01 CEST 2020 

Hi all,
  Sorry this is embarrassingly simple, but I'm struggling a bit with it. Profuse apologies if I missed something obvious.

We use MAC authentication with some stuff, and update the control Cleartext-Password to match the user-name field, as mac auth on the NASes here always use that as the password. Authorisation does all our useful accept/reject stuff, not authentication. Having said that I'd prefer not to "hack" it to bypass auth.

My test NAS is an HP/Aruba 2530 with v15.17.0009 firmware

Before the chap auth runs:

Update control {
  &Cleartext-Password = &User-Name
}

Works on v3:
>From the access request :
Wed Jul 22 08:33:57 2020 : Debug: (0)   User-Name = "08000f510d1e"
Wed Jul 22 08:33:57 2020 : Debug: (0)   CHAP-Password = 0x9fdc274c2e3ca36a66a0581a10d44a7dd2
Wed Jul 22 08:33:57 2020 : Debug: (0)   Message-Authenticator = 0x978dc5f6ccbcd916950b3d76190039dc
..
.. and then the chap auth debug:
..
Wed Jul 22 08:46:46 2020 : Debug: (0) chap: Comparing with "known good" &control:Cleartext-Password value "08000f510d1e"
Wed Jul 22 08:46:46 2020 : Debug: (0) chap: Using challenge from &request:CHAP-Challenge
Wed Jul 22 08:33:57 2020 : Debug: (0) chap:   CHAP challenge : e7714b9a5d8463e7947041bdbf399c17
Wed Jul 22 08:33:57 2020 : Debug: (0) chap:   Client sent    : dc274c2e3ca36a66a0581a10d44a7dd2
Wed Jul 22 08:33:57 2020 : Debug: (0) chap:   We calculated  : dc274c2e3ca36a66a0581a10d44a7dd2
Wed Jul 22 08:33:57 2020 : Debug: (0) chap: CHAP user "08000f510d1e" authenticated successfully

But on v4, it doesn't like it, and I can't figure out why, says the password is incorrect.
I've checked and double checked the client.conf secret is correct.

Wed Jul 22 07:59:01 2020: (1)    User-Name = "08000f510d1e"
Wed Jul 22 07:59:01 2020: (1)    CHAP-Password = 0xa1526f5b6d5cc40d3d87df334515befc07
Wed Jul 22 07:59:01 2020: (1)    Message-Authenticator = 0x5433e862ac2ab58c19866ff8bb05863f
..
Wed Jul 22 07:59:01 2020: (1)    chap - Using "known good" cleartext password Cleartext-Password = "08000f510d1e"
Wed Jul 22 07:59:01 2020: (1)    chap - Using challenge from &request:CHAP-Challenge
Wed Jul 22 07:59:01 2020: (1)    chap -   CHAP challenge : bf61a943b98f4d1b9e9885677705a6b8
Wed Jul 22 07:59:01 2020: (1)    chap -   Client sent    : 526f5b6d5cc40d3d87df334515befc07
Wed Jul 22 07:59:01 2020: (1)    chap -   We calculated  : 72ca08cb516acb819b0ff9d7cc5988c4
Wed Jul 22 07:59:01 2020: ERROR : (1)    chap - Password comparison failed: password is incorrect

Testing chap with radtest DOES work ok with v4 though, really confusing. Can anyone spot the issue? I've a feeling I've missed something obvious.. :(

Thanks
Andy


********************************************************************************************************************

This message may contain confidential information. If you are not the intended recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or take any action in relation to its contents. To do so is strictly prohibited and may be unlawful. Thank you for your co-operation.

NHSmail is the secure email and directory service available for all NHS staff in England and Scotland. NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services.

For more information and to find out how you can switch, https://portal.nhs.net/help/joiningnhsmail

More information about the Freeradius-Users mailing list