GT4NE1 wrote:
My apologies. This was my poor attempt at providing enough information, but not having to censor the output as much. Here is a fully debug for a few attempts with unique information censored out. I appreciate the response.
The client is broken. There is no other choice. The correct CHAP-Password is 0x006368d912a3c73c9b19b9d830529bfec5. *However*, if I truncate the CHAP-Challenge to 48 bytes: 0x7edf2cf58afb187156d7c4ade27330a92ecf5c653aeb48e106c7f41d92636019debf8cd5eadb7851b6b7248d42539089 Then FreeRADIUS calculates the CHAP-Password you have in the packet, and authenticates the user. Go back to whoever sold you the modem, and tell them that their product is broken. Tell them to fix their product. It's OK to truncate the CHAP-Challenge at 48 bytes. But if they do so, they MUST send a 48-byte CHAP-Challenge. Sending a LONGER one is stupid and wrong. If they argue, point out the above analysis. Get them to try it for themselves. If they still argue, point out all of the RADIUS RFCs with my name on them. Give them my contact information. Their product doesn't work, and cannot possibly work. The tests that the Juniper guys did were likely with CHAP-Challenges of 48 bytes or less. I doubt very much that SBR is so broken as to also truncate challenges at 48 bytes. Alan DeKok.