chap authentication with v4

Alan DeKok aland at deployingradius.com
Wed Jul 22 14:59:32 CEST 2020


On Jul 22, 2020, at 4:58 AM, FRANKS, Andy (SHREWSBURY AND TELFORD HOSPITAL NHS TRUST) via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> We use MAC authentication with some stuff, and update the control Cleartext-Password to match the user-name field, as mac auth on the NASes here always use that as the password. Authorisation does all our useful accept/reject stuff, not authentication. Having said that I'd prefer not to "hack" it to bypass auth.

  Sure.

> My test NAS is an HP/Aruba 2530 with v15.17.0009 firmware
> 
> Before the chap auth runs:
> 
> Update control {
>  &Cleartext-Password = &User-Name
> }
> 
> Works on v3:
> From the access request :
> Wed Jul 22 08:33:57 2020 : Debug: (0)   User-Name = "08000f510d1e"
> Wed Jul 22 08:33:57 2020 : Debug: (0)   CHAP-Password = 0x9fdc274c2e3ca36a66a0581a10d44a7dd2
> Wed Jul 22 08:33:57 2020 : Debug: (0)   Message-Authenticator = 0x978dc5f6ccbcd916950b3d76190039dc
> ..
> .. and then the chap auth debug:
> ..
> Wed Jul 22 08:46:46 2020 : Debug: (0) chap: Comparing with "known good" &control:Cleartext-Password value "08000f510d1e"
> Wed Jul 22 08:46:46 2020 : Debug: (0) chap: Using challenge from &request:CHAP-Challenge
> Wed Jul 22 08:33:57 2020 : Debug: (0) chap:   CHAP challenge : e7714b9a5d8463e7947041bdbf399c17
> Wed Jul 22 08:33:57 2020 : Debug: (0) chap:   Client sent    : dc274c2e3ca36a66a0581a10d44a7dd2
> Wed Jul 22 08:33:57 2020 : Debug: (0) chap:   We calculated  : dc274c2e3ca36a66a0581a10d44a7dd2
> Wed Jul 22 08:33:57 2020 : Debug: (0) chap: CHAP user "08000f510d1e" authenticated successfully
> 
> But on v4, it doesn't like it, and I can't figure out why, says the password is incorrect.


> I've checked and double checked the client.conf secret is correct.

  The client secret isn't used for CHAP.  The message means that the "known good" password doesn't match the one used for CHAP.

> Wed Jul 22 07:59:01 2020: (1)    User-Name = "08000f510d1e"
> Wed Jul 22 07:59:01 2020: (1)    CHAP-Password = 0xa1526f5b6d5cc40d3d87df334515befc07
> Wed Jul 22 07:59:01 2020: (1)    Message-Authenticator = 0x5433e862ac2ab58c19866ff8bb05863f
> ..
> Wed Jul 22 07:59:01 2020: (1)    chap - Using "known good" cleartext password Cleartext-Password = "08000f510d1e"
> Wed Jul 22 07:59:01 2020: (1)    chap - Using challenge from &request:CHAP-Challenge
> Wed Jul 22 07:59:01 2020: (1)    chap -   CHAP challenge : bf61a943b98f4d1b9e9885677705a6b8
> Wed Jul 22 07:59:01 2020: (1)    chap -   Client sent    : 526f5b6d5cc40d3d87df334515befc07
> Wed Jul 22 07:59:01 2020: (1)    chap -   We calculated  : 72ca08cb516acb819b0ff9d7cc5988c4
> Wed Jul 22 07:59:01 2020: ERROR : (1)    chap - Password comparison failed: password is incorrect
> 
> Testing chap with radtest DOES work ok with v4 though, really confusing. Can anyone spot the issue? I've a feeling I've missed something obvious.. :(

  You can use the debug output to send test packets with radclient

from v3:

User-Name = "08000f510d1e"
CHAP-Password = 0x9fdc274c2e3ca36a66a0581a10d44a7dd2
CHAP-Challenge = 0xe7714b9a5d8463e7947041bdbf399c17

from v4:

User-Name =  "08000f510d1e"
CHAP-Password = 0xa1526f5b6d5cc40d3d87df334515befc07
CHAP-Challenge = 0xbf61a943b98f4d1b9e9885677705a6b8

  Send *both* of those packets to *both* servers.  If the servers behave differently, there's a bug.  If the servers behave the same, then one of the packets was using the wrong password.

  Hmm... just tried that here.  And yes, v3 passes both packets.  v4 doesn't.  How the heck is CHAP broken?  I haven't touched that code.  Maybe Arran...

  I'll take a look today.  And, add some tests so that this doesn't happen again.

  Alan DeKok.




More information about the Freeradius-Users mailing list