Hi, Hello? Is there anybody out there? Can someone who knows how CHAP works please explain to me how this could be happening? Does a CHAP challenge time-out after a certain amount of time? Does the rlm_chap module hold a copy of old CHAP challenge's and prevent the same one being re-used to stop replay attacks? If so how do I switch this off? Anyone? Anything? Dan... Thursday, August 30, 2007, 3:08:16 PM, you wrote:
Hi,
I've been running a free radius server for a while now, but today for no apparent reason I'm getting a lot of intermittent authentication failures using the rlm_chap module.
Here's a trace of two login's the first works fine, the second a few moments later fails, the username and password supplied in both cases are correct and exactly the same. Can anyone shed any light on this? I've tried rebuilding the mysql database from scratch, and recompiling and installing the radius server, but to no avail...
----------------------------------------------------------------------------------------
rad_recv: Access-Request packet from host 81.178.20.107:1024, id=25, length=204 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00:14:A4:87:DF:FF" Called-Station-Id = "rural-ap1" NAS-Port-Id = "wlan2" User-Name = "dan@adelix.com" NAS-Port = 2149580817 Acct-Session-Id = "80200011" Framed-IP-Address = 10.5.50.254 Mikrotik-Host-IP = 10.5.50.254 CHAP-Challenge = 0xxxxxx[removed] CHAP-Password = 0xxxxxx[removed] Service-Type = Login-User WISPr-Logoff-URL = "http://10.5.50.1/logout" NAS-Identifier = "rural-ap1" NAS-IP-Address = 10.0.0.249 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" returns ok for request 3 users: Matched entry DEFAULT at line 54 radius_xlat: '/usr/local/bin/mtauth.pl dan@adelix.com' modcall[authorize]: module "files" returns ok for request 3 radius_xlat: 'dan@adelix.com' rlm_sql (sql): sql_set_user escaped user --> 'dan@adelix.com' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'dan@adelix.com' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 0 rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'dan@adelix.com' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'dan@adelix.com' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'dan@adelix.com' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'dan@adelix.com' ORDER BY id' rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'dan@adelix.com' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'dan@adelix.com' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'dan@adelix.com' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 0 modcall[authorize]: module "sql" returns ok for request 3 modcall: leaving group authorize (returns ok) for request 3 rad_check_password: Found Auth-Type CHAP auth: type "CHAP" Processing the authenticate section of radiusd.conf modcall: entering group CHAP for request 3 rlm_chap: login attempt by "dan@adelix.com" with CHAP password rlm_chap: Using clear text password "xxxxxxx" for user dan@adelix.com authentication. rlm_chap: chap user dan@adelix.com authenticated succesfully modcall[authenticate]: module "chap" returns ok for request 3 modcall: leaving group CHAP (returns ok) for request 3 Exec-Program output: Session-Timeout=1173, Mikrotik-Xmit-Limit=1073222818, Mikrotik-Recv-Limit=1073515121, Exec-Program-Wait: value-pairs: Session-Timeout=1173, Mikrotik-Xmit-Limit=1073222818, Mikrotik-Recv-Limit=1073515121, Exec-Program: returned: 0 Sending Access-Accept of id 25 to 81.178.20.107 port 1024 Session-Timeout = 1173 Mikrotik-Xmit-Limit = 1073222818 Mikrotik-Recv-Limit = 1073515121 Finished request 3
----------------------------------------------------------------------------------------
rad_recv: Access-Request packet from host 81.178.20.107:1024, id=24, length=204 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00:14:A4:87:DF:FF" Called-Station-Id = "rural-ap1" NAS-Port-Id = "wlan2" User-Name = "dan@adelix.com" NAS-Port = 2149580816 Acct-Session-Id = "80200010" Framed-IP-Address = 10.5.50.254 Mikrotik-Host-IP = 10.5.50.254 CHAP-Challenge = 0xxxxxx[removed] CHAP-Password = 0xxxxxx[removed] Service-Type = Login-User WISPr-Logoff-URL = "http://10.5.50.1/logout" NAS-Identifier = "rural-ap1" NAS-IP-Address = 10.0.0.249 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" returns ok for request 5 users: Matched entry DEFAULT at line 54 radius_xlat: '/usr/local/bin/mtauth.pl dan@adelix.com' modcall[authorize]: module "files" returns ok for request 5 radius_xlat: 'dan@adelix.com' rlm_sql (sql): sql_set_user escaped user --> 'dan@adelix.com' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'dan@adelix.com' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'dan@adelix.com' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'dan@adelix.com' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'dan@adelix.com' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'dan@adelix.com' ORDER BY id' rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'dan@adelix.com' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'dan@adelix.com' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'dan@adelix.com' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module "sql" returns ok for request 5 modcall: leaving group authorize (returns ok) for request 5 rad_check_password: Found Auth-Type CHAP auth: type "CHAP" Processing the authenticate section of radiusd.conf modcall: entering group CHAP for request 5 rlm_chap: login attempt by "dan@adelix.com" with CHAP password rlm_chap: Using clear text password "xxxxxxx" for user dan@adelix.com authentication. rlm_chap: Password check failed modcall[authenticate]: module "chap" returns reject for request 5 modcall: leaving group CHAP (returns reject) for request 5 auth: Failed to validate the user.
----------------------------------------------------------------------------------------
--
Dan Searle Adelix Ltd dan.searle@adelix.com web: www.adelix.com tel: 0845 230 9590 / fax: 0845 230 9591 / support: 0845 230 9592 snail: The Old Post Office, Bristol Rd, Hambrook, Bristol BS16 1RY. UK.
Adelix Ltd is a registered company in England & Wales No. 4232156 VAT registration number 779 4232 91 Adelix Ltd is BS EN ISO 9001:2000 Certified (No. GB 12763)
Any views expressed in this email communication are those of the individual sender, except where the sender specifically states them to be the views of a member of Adelix Ltd. Adelix Ltd. does not represent, warrant or guarantee that the integrity of this communication has been maintained nor that the communication is free of errors or interference.
------------------------------------------------------------------------------------ Scanned for viruses, spam and offensive content by CensorNet MailSafe
Professional Web & E-mail Filtering from www.censornet.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------------------------------------------------------------ Scanned for viruses, spam and offensive content by CensorNet MailSafe
Professional Web & E-mail Filtering from www.censornet.com
-- Dan Searle Adelix Ltd dan.searle@adelix.com web: www.adelix.com tel: 0845 230 9590 / fax: 0845 230 9591 / support: 0845 230 9592 snail: The Old Post Office, Bristol Rd, Hambrook, Bristol BS16 1RY. UK. Adelix Ltd is a registered company in England & Wales No. 4232156 VAT registration number 779 4232 91 Adelix Ltd is BS EN ISO 9001:2000 Certified (No. GB 12763) Any views expressed in this email communication are those of the individual sender, except where the sender specifically states them to be the views of a member of Adelix Ltd. Adelix Ltd. does not represent, warrant or guarantee that the integrity of this communication has been maintained nor that the communication is free of errors or interference. ------------------------------------------------------------------------------------ Scanned for viruses, spam and offensive content by CensorNet MailSafe Professional Web & E-mail Filtering from www.censornet.com