# freeradius -v freeradius: FreeRADIUS Version 2.1.12 We have a puzzling issue with CHAP Authentication: Using radtest like this works: radtest -d /etc/freeradius/ -t chap "6064191000@ev.myawi.com" "6D464023735E40604457225169645C69" 127.0.0.1 1812 xxxxxx But when a real live device request comes in, it fails: This should be allowed but is rejected: Using md5 hashing, we have confirmed that it is accurate: Radius Protocol Code: Access-Request (1) Packet identifier: 0x51 (81) Length: 145 Authenticator: dbad48a07b45dc16a42806283bfa3432 [The response to this request is in frame 2] Attribute Value Pairs AVP: l=25 t=User-Name(1): 6064191000@ev.myawi.com User-Name: 6064191000@ev.myawi.com AVP: l=19 t=CHAP-Password(3): a7737618eb2d4f46a3945215a989923560 CHAP-Password: a7737618eb2d4f46a3945215a989923560 CHAP Ident: 0xa7 CHAP String: 737618eb2d4f46a3945215a989923560 AVP: l=6 t=NAS-IP-Address(4): 10.xxx.2.1 NAS-IP-Address: 10.xxx.2.1 (10.xxx.2.1) AVP: l=18 t=CHAP-Challenge(60): 5072685c0183c07d006ff00c160671a0 CHAP-Challenge: 5072685c0183c07d006ff00c160671a0 AVP: l=12 t=Vendor-Specific(26) v=3rd Generation Partnership Project 2 (3GPP2)(5535) VSA: l=6 t=3GPP2-HRPD-Access/Terminal-Authentication-and-1x-Access-Authorization(60): 1 3GPP2-HRPD-Access/Terminal-Authentication-and-1x-Access-Authorization: 1 AVP: l=23 t=Vendor-Specific(26) v=3rd Generation Partnership Project 2 (3GPP2)(5535) VSA: l=17 t=3GPP2-AT-Hardware-Identifier(61): [unhandled integer length(15)] AVP: l=18 t=Message-Authenticator(80): 8ce6cfeb0d0ef6a09bd3dbbdd7495226 Message-Authenticator: 8ce6cfeb0d0ef6a09bd3dbbdd7495226 AVP: l=4 t=Proxy-State(33): 3834 Proxy-State: 3834 Here is the users file we are using for testing: 6064191000@ev.myawi.com Cleartext-Password := "6D464023735E40604457225169645C69" Callback-Id = "000006064191000", Fall-Through = Yes Here is the debug on freeradius -X Thu Apr 10 15:21:22 2014 : Info: Ready to process requests. rad_recv: Access-Request packet from host 10.xx.xx.32 port 1814, id=81, length=145 User-Name = "6064191000@ev.myawi.com" CHAP-Password = 0xa7737618eb2d4f46a3945215a989923560 NAS-IP-Address = 10.xxx.2.1 CHAP-Challenge = 0x5072685c0183c07d006ff00c160671a0 3GPP2-Attr-60 = 0x00000001 3GPP2-Attr-61 = 0x010600000001020935799505892280 Message-Authenticator = 0x8ce6cfeb0d0ef6a09bd3dbbdd7495226 Proxy-State = 0x3834 Thu Apr 10 15:24:22 2014 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default Thu Apr 10 15:24:22 2014 : Info: +- entering group authorize {...} Thu Apr 10 15:24:22 2014 : Info: ++[preprocess] returns ok Thu Apr 10 15:24:22 2014 : Info: ++[auth_log] returns ok Thu Apr 10 15:24:22 2014 : Info: [chap] Setting 'Auth-Type := CHAP' Thu Apr 10 15:24:22 2014 : Info: ++[chap] returns ok Thu Apr 10 15:24:22 2014 : Info: [suffix] Looking up realm "ev.myawi.com" for User-Name = "6064191000@ev.myawi.com" Thu Apr 10 15:24:22 2014 : Info: [suffix] No such realm "ev.myawi.com" Thu Apr 10 15:24:22 2014 : Info: ++[suffix] returns noop Thu Apr 10 15:24:22 2014 : Info: [files] users: Matched entry 6064191000@ev.myawi.com at line 1 Thu Apr 10 15:24:22 2014 : Info: ++[files] returns ok Thu Apr 10 15:24:22 2014 : Info: [pap] WARNING: Auth-Type already set. Not setting to PAP Thu Apr 10 15:24:22 2014 : Info: ++[pap] returns noop Thu Apr 10 15:24:22 2014 : Info: Found Auth-Type = CHAP Thu Apr 10 15:24:22 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/default Thu Apr 10 15:24:22 2014 : Info: +- entering group CHAP {...} Thu Apr 10 15:24:22 2014 : Info: [chap] login attempt by "6064191000@ev.myawi.com" with CHAP password Thu Apr 10 15:24:22 2014 : Info: [chap] Using clear text password "325C7727326B6176362A324754623247" for user 6064191000@ev.myawi.com authentication. Thu Apr 10 15:24:22 2014 : Info: [chap] Password check failed Thu Apr 10 15:24:22 2014 : Info: ++[chap] returns reject Thu Apr 10 15:24:22 2014 : Info: Failed to authenticate the user. Thu Apr 10 15:24:22 2014 : Auth: Login incorrect (rlm_chap: Wrong user password): [6064191000@ev.myawi.com/<CHAP-Password>] (from client radiusxx port 0) Thu Apr 10 15:24:22 2014 : Info: Using Post-Auth-Type Reject -- respectfully, Joseph | IT