Hi,
In process of evaluating Radsec feature, We encountered the failure with CHAP authentication. Authentication was successful with PAP, MSCHAP and eap-md5. Version(3.0.4) of freeradius is same in Client and Server. Radsecproxy version is 1.6.2.
The following is the radtest command used and the output. $radtest -x -t chap root root1234 127.0.0.1:1812 1812 radsec Sending Access-Request Id 80 from 0.0.0.0:35860 to 127.0.0.1:1812 User-Name = 'root' CHAP-Password = 0xdb78dddafe77d7bb8d5d554b24d26ba2bb NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x00 Received Access-Reject Id 80 from 127.0.0.1:1812 to 127.0.0.1:35860 length 33 Reply-Message = 'Hello, root' (0) -: Expected Access-Accept got Access-Reject
The following is the freeradius 3.0.4 server log.
Wed Oct 22 19:47:17 2014 : Debug: (0) Reading from socket 14 READ FROM SSL 138 00: 17 03 01 00 20 63 12 16 67 d9 d9 9b 72 10 c9 28 10: 29 28 f9 9d a3 91 76 34 76 50 c2 02 0d ed a3 de 20: d0 b5 b6 05 41 17 03 01 00 60 ed 50 88 08 7f 9f 30: ed 15 d8 ed b9 0a c7 ea f8 75 21 fe df a9 1c 56 40: 91 85 c8 e8 4c fd 7d e3 14 52 78 a2 3d f0 fe fa 50: 57 a6 bc b7 87 4a 18 95 63 4f 6d 41 7e f4 dc f0 60: 10 f3 72 39 3b 58 8f 8c 0a 9f 0f 88 1a 5e 19 d4 70: 60 f6 c3 57 d7 a6 88 95 f0 5d f2 c6 de ee 93 0b 80: d0 24 74 ae 2a 6c 8e 8c 79 96 Wed Oct 22 19:47:17 2014 : Debug: (0) Application data status 7 TUNNELED DATA > 75 00: 01 01 00 4b ad 6c 2d c3 12 71 3a 32 7a 8a ed ae 10: 47 a7 34 4f 01 06 72 6f 6f 74 03 13 db 78 dd da 20: fe 77 d7 bb 8d 5d 55 4b 24 d2 6b a2 bb 04 06 7f 30: 00 01 01 05 06 00 00 07 14 50 12 07 3f 6b 50 ab 40: d7 1b 3f d8 e9 b1 2b 4e eb 18 e4 Wed Oct 22 19:47:17 2014 : Debug: (0) tls_recv: Access-Request packet from host 192.168.14.56 port 2083, id=1, length=75 Wed Oct 22 19:47:17 2014 : Debug: Waking up in 0.3 seconds. Wed Oct 22 19:47:17 2014 : Debug: Thread 1 got semaphore Wed Oct 22 19:47:17 2014 : Debug: Thread 1 handling request 8, (2 handled so far) User-Name = 'root' CHAP-Password = 0xdb78dddafe77d7bb8d5d554b24d26ba2bb NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x073f6b50abd71b3fd8e9b12b4eeb18e4 Wed Oct 22 19:47:17 2014 : Debug: (8) Received Access-Request packet from host 192.168.14.56 port 2083, id=1, length=75 Wed Oct 22 19:47:17 2014 : Debug: (8) User-Name = 'root' Wed Oct 22 19:47:17 2014 : Debug: (8) CHAP-Password = 0xdb78dddafe77d7bb8d5d554b24d26ba2bb Wed Oct 22 19:47:17 2014 : Debug: (8) NAS-IP-Address = 127.0.1.1 Wed Oct 22 19:47:17 2014 : Debug: (8) NAS-Port = 1812 Wed Oct 22 19:47:17 2014 : Debug: (8) Message-Authenticator = 0x073f6b50abd71b3fd8e9b12b4eeb18e4 Wed Oct 22 19:47:17 2014 : Debug: (8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default Wed Oct 22 19:47:17 2014 : Debug: (8) authorize { Wed Oct 22 19:47:17 2014 : Debug: (8) filter_username filter_username { Wed Oct 22 19:47:17 2014 : Debug: (8) if (!&User-Name) Wed Oct 22 19:47:17 2014 : Debug: (8) if (!&User-Name) -> FALSE Wed Oct 22 19:47:17 2014 : Debug: (8) if (&User-Name =~ / /) Wed Oct 22 19:47:17 2014 : Debug: (8) if (&User-Name =~ / /) -> FALSE Wed Oct 22 19:47:17 2014 : Debug: (8) if (&User-Name =~ /@.*@/ ) Wed Oct 22 19:47:17 2014 : Debug: (8) if (&User-Name =~ /@.*@/ ) -> FALSE Wed Oct 22 19:47:17 2014 : Debug: (8) if (&User-Name =~ /\\.\\./ ) Wed Oct 22 19:47:17 2014 : Debug: (8) if (&User-Name =~ /\\.\\./ ) -> FALSE Wed Oct 22 19:47:17 2014 : Debug: (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) Wed Oct 22 19:47:17 2014 : Debug: (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE Wed Oct 22 19:47:17 2014 : Debug: (8) if (&User-Name =~ /\\.$/) Wed Oct 22 19:47:17 2014 : Debug: (8) if (&User-Name =~ /\\.$/) -> FALSE Wed Oct 22 19:47:17 2014 : Debug: (8) if (&User-Name =~ /@\\./) Wed Oct 22 19:47:17 2014 : Debug: (8) if (&User-Name =~ /@\\./) -> FALSE Wed Oct 22 19:47:17 2014 : Debug: (8) } # filter_username filter_username = notfound Wed Oct 22 19:47:17 2014 : Debug: (8) modsingle[authorize]: calling preprocess (rlm_preprocess) for request 8 Wed Oct 22 19:47:17 2014 : Debug: (8) modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 8 Wed Oct 22 19:47:17 2014 : Debug: (8) [preprocess] = ok Wed Oct 22 19:47:17 2014 : Debug: (8) modsingle[authorize]: calling chap (rlm_chap) for request 8 Wed Oct 22 19:47:17 2014 : Debug: (8) chap : Setting 'Auth-Type := CHAP' Wed Oct 22 19:47:17 2014 : Debug: (8) modsingle[authorize]: returned from chap (rlm_chap) for request 8 Wed Oct 22 19:47:17 2014 : Debug: (8) [chap] = ok Wed Oct 22 19:47:17 2014 : Debug: (8) modsingle[authorize]: calling mschap (rlm_mschap) for request 8 Wed Oct 22 19:47:17 2014 : Debug: (8) modsingle[authorize]: returned from mschap (rlm_mschap) for request 8 Wed Oct 22 19:47:17 2014 : Debug: (8) [mschap] = noop Wed Oct 22 19:47:17 2014 : Debug: (8) modsingle[authorize]: calling digest (rlm_digest) for request 8 Wed Oct 22 19:47:17 2014 : Debug: (8) modsingle[authorize]: returned from digest (rlm_digest) for request 8 Wed Oct 22 19:47:17 2014 : Debug: (8) [digest] = noop Wed Oct 22 19:47:17 2014 : Debug: (8) modsingle[authorize]: calling suffix (rlm_realm) for request 8 Wed Oct 22 19:47:17 2014 : Debug: (8) suffix : Checking for suffix after "@" Wed Oct 22 19:47:17 2014 : Debug: (8) suffix : No '@' in User-Name = "root", looking up realm NULL Wed Oct 22 19:47:17 2014 : Debug: (8) suffix : No such realm "NULL" Wed Oct 22 19:47:17 2014 : Debug: (8) modsingle[authorize]: returned from suffix (rlm_realm) for request 8 Wed Oct 22 19:47:17 2014 : Debug: (8) [suffix] = noop Wed Oct 22 19:47:17 2014 : Debug: (8) modsingle[authorize]: calling eap (rlm_eap) for request 8 Wed Oct 22 19:47:17 2014 : Debug: (8) eap : No EAP-Message, not doing EAP Wed Oct 22 19:47:17 2014 : Debug: (8) modsingle[authorize]: returned from eap (rlm_eap) for request 8 Wed Oct 22 19:47:17 2014 : Debug: (8) [eap] = noop Wed Oct 22 19:47:17 2014 : Debug: (8) modsingle[authorize]: calling files (rlm_files) for request 8 Wed Oct 22 19:47:17 2014 : Debug: (8) files : users: Matched entry root at line 91 Wed Oct 22 19:47:17 2014 : Debug: (8) files : ::: FROM 1 TO 0 MAX 1 Wed Oct 22 19:47:17 2014 : Debug: (8) files : ::: Examining Reply-Message Wed Oct 22 19:47:17 2014 : Debug: Hello, %{User-Name} Wed Oct 22 19:47:17 2014 : Debug: Parsed xlat tree: Wed Oct 22 19:47:17 2014 : Debug: literal --> Hello, Wed Oct 22 19:47:17 2014 : Debug: attribute --> User-Name Wed Oct 22 19:47:17 2014 : Debug: (8) files : EXPAND Hello, %{User-Name} Wed Oct 22 19:47:17 2014 : Debug: (8) files : --> Hello, root Wed Oct 22 19:47:17 2014 : Debug: (8) files : ::: APPENDING Reply-Message FROM 0 TO 0 Wed Oct 22 19:47:17 2014 : Debug: (8) files : ::: TO in 0 out 1 Wed Oct 22 19:47:17 2014 : Debug: (8) files : ::: to[0] = Reply-Message Wed Oct 22 19:47:17 2014 : Debug: (8) modsingle[authorize]: returned from files (rlm_files) for request 8 Wed Oct 22 19:47:17 2014 : Debug: (8) [files] = ok Wed Oct 22 19:47:17 2014 : Debug: (8) modsingle[authorize]: calling expiration (rlm_expiration) for request 8 Wed Oct 22 19:47:17 2014 : Debug: (8) modsingle[authorize]: returned from expiration (rlm_expiration) for request 8 Wed Oct 22 19:47:17 2014 : Debug: (8) [expiration] = noop Wed Oct 22 19:47:17 2014 : Debug: (8) modsingle[authorize]: calling logintime (rlm_logintime) for request 8 Wed Oct 22 19:47:17 2014 : Debug: (8) modsingle[authorize]: returned from logintime (rlm_logintime) for request 8 Wed Oct 22 19:47:17 2014 : Debug: (8) [logintime] = noop Wed Oct 22 19:47:17 2014 : Debug: (8) modsingle[authorize]: calling pap (rlm_pap) for request 8 Wed Oct 22 19:47:17 2014 : WARNING: (8) pap : Auth-Type already set. Not setting to PAP Wed Oct 22 19:47:17 2014 : Debug: (8) modsingle[authorize]: returned from pap (rlm_pap) for request 8 Wed Oct 22 19:47:17 2014 : Debug: (8) [pap] = noop Wed Oct 22 19:47:17 2014 : Debug: (8) } # authorize = ok Wed Oct 22 19:47:17 2014 : Debug: (8) Found Auth-Type = CHAP Wed Oct 22 19:47:17 2014 : Debug: (8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default Wed Oct 22 19:47:17 2014 : Debug: (8) Auth-Type CHAP { Wed Oct 22 19:47:17 2014 : Debug: (8) modsingle[authenticate]: calling chap (rlm_chap) for request 8 Wed Oct 22 19:47:17 2014 : Debug: (8) chap : Login attempt by "root" with CHAP password Wed Oct 22 19:47:17 2014 : Debug: (8) chap : Comparing with "known good" Cleartext-Password "root1234" Wed Oct 22 19:47:17 2014 : Debug: (8) chap : CHAP challenge : ad6c2dc312713a327a8aedae47a7344f Wed Oct 22 19:47:17 2014 : Debug: (8) chap : Client sent : 78dddafe77d7bb8d5d554b24d26ba2bb Wed Oct 22 19:47:17 2014 : Debug: (8) chap : We calculated : 8b672ba8589f7d0658b3b3e8e2002b09 Wed Oct 22 19:47:17 2014 : ERROR: (8) chap : Password is comparison failed: password is incorrect Wed Oct 22 19:47:17 2014 : Debug: (8) modsingle[authenticate]: returned from chap (rlm_chap) for request 8 Wed Oct 22 19:47:17 2014 : Debug: (8) [chap] = reject Wed Oct 22 19:47:17 2014 : Debug: (8) } # Auth-Type CHAP = reject Wed Oct 22 19:47:17 2014 : Debug: (8) Failed to authenticate the user Wed Oct 22 19:47:17 2014 : Debug: (8) Using Post-Auth-Type Reject Wed Oct 22 19:47:17 2014 : Debug: (8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default Wed Oct 22 19:47:17 2014 : Debug: (8) Post-Auth-Type REJECT { Wed Oct 22 19:47:17 2014 : Debug: (8) modsingle[post-auth]: calling attr_filter.access_reject (rlm_attr_filter) for request 8 Wed Oct 22 19:47:17 2014 : Debug: %{User-Name} Wed Oct 22 19:47:17 2014 : Debug: Parsed xlat tree: Wed Oct 22 19:47:17 2014 : Debug: attribute --> User-Name Wed Oct 22 19:47:17 2014 : Debug: (8) attr_filter.access_reject : EXPAND %{User-Name} Wed Oct 22 19:47:17 2014 : Debug: (8) attr_filter.access_reject : --> root Wed Oct 22 19:47:17 2014 : Debug: (8) attr_filter.access_reject : Matched entry DEFAULT at line 11 Wed Oct 22 19:47:17 2014 : Debug: (8) attr_filter.access_reject : Reply-Message = 'Hello, root' allowed by Reply-Message =* '' Wed Oct 22 19:47:17 2014 : Debug: (8) attr_filter.access_reject : Attribute "Reply-Message" allowed by 1 rules, disallowed by 0 rules Wed Oct 22 19:47:17 2014 : Debug: (8) modsingle[post-auth]: returned from attr_filter.access_reject (rlm_attr_filter) for request 8 Wed Oct 22 19:47:17 2014 : Debug: (8) [attr_filter.access_reject] = updated Wed Oct 22 19:47:17 2014 : Debug: (8) modsingle[post-auth]: calling eap (rlm_eap) for request 8 Wed Oct 22 19:47:17 2014 : Debug: (8) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure Wed Oct 22 19:47:17 2014 : Debug: (8) modsingle[post-auth]: returned from eap (rlm_eap) for request 8 Wed Oct 22 19:47:17 2014 : Debug: (8) [eap] = noop Wed Oct 22 19:47:17 2014 : Debug: (8) remove_reply_message_if_eap remove_reply_message_if_eap { Wed Oct 22 19:47:17 2014 : Debug: (8) if (&reply:EAP-Message && &reply:Reply-Message) Wed Oct 22 19:47:17 2014 : Debug: (8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE Wed Oct 22 19:47:17 2014 : Debug: (8) else else { Wed Oct 22 19:47:17 2014 : Debug: (8) modsingle[post-auth]: calling noop (rlm_always) for request 8 Wed Oct 22 19:47:17 2014 : Debug: (8) modsingle[post-auth]: returned from noop (rlm_always) for request 8 Wed Oct 22 19:47:17 2014 : Debug: (8) [noop] = noop Wed Oct 22 19:47:17 2014 : Debug: (8) } # else else = noop Wed Oct 22 19:47:17 2014 : Debug: (8) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop Wed Oct 22 19:47:17 2014 : Debug: (8) } # Post-Auth-Type REJECT = updated Wed Oct 22 19:47:17 2014 : Debug: (8) Delaying response for 1 seconds Wed Oct 22 19:47:17 2014 : Debug: Thread 1 waiting to be assigned a request Wed Oct 22 19:47:18 2014 : Debug: Waking up in 0.6 seconds. Wed Oct 22 19:47:18 2014 : Debug: (8) Sending delayed response Wed Oct 22 19:47:18 2014 : Debug: (8) Sending Access-Reject packet to host 192.168.14.56 port 2083, id=1, length=0 Wed Oct 22 19:47:18 2014 : Debug: (8) Reply-Message = 'Hello, root' Sending Access-Reject Id 1 from 0.0.0.0:2083 to 192.168.14.56:2083 Reply-Message = 'Hello, root' TUNNELED DATA < 33 00: 03 01 00 21 76 36 57 24 bd 97 0d 4a 15 a5 f2 4d 10: 13 5f 61 fd 12 0d 48 65 6c 6c 6f 2c 20 72 6f 6f 20: 74 WRITE TO SSL 69 00: 17 03 01 00 40 bb e3 13 b9 34 ff 57 aa 32 38 19 10: ad da 7c aa 29 76 bf 04 ff 5a b1 64 00 5d 3c ff 20: 2c a1 4f 5f 76 31 63 04 d3 93 f9 a1 41 b8 1f 23 30: c9 c6 7e 59 da 1a 46 ff a7 e0 eb 7d f1 a2 0a 56 40: f3 d4 c4 dd de Wed Oct 22 19:47:18 2014 : Debug: (8) Writing to socket 14 Wed Oct 22 19:47:18 2014 : Debug: Waking up in 3.9 seconds. Wed Oct 22 19:47:23 2014 : Debug: (8) Cleaning up request packet ID 1 with timestamp +397 Wed Oct 22 19:47:23 2014 : Debug: Waking up in 5.4 seconds. Wed Oct 22 19:47:28 2014 : Debug: Waking up in 18.9 seconds.
Thanks and Regards, Anoop