Hi All We are getting seemingly random CHAP authentication issues. These are known good passwords configured on test routers, however we still get the same authentication failed. Has anyone else seen such things? A debug output for one such request is here. The password that the module pulls out to compare against is 100% what we are using. rad_recv: Access-Request packet from host 217.196.224.5 port 1645, id=92, length=148 Framed-Protocol = PPP User-Name = "264247.313093@hs.hsoworld.com" CHAP-Password = 0x022714dafa245ec52463c2afc25ea7dbe2 Calling-Station-Id = "BBEU17129208" Connect-Info = "6631000/444000" NAS-Port-Type = ISDN NAS-Port = 21378 NAS-Port-Id = "Uniq-Sess-ID1378" Service-Type = Framed-User NAS-IP-Address = 217.196.224.5 # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { [preprocess] expand: %{User-Name} -> 264247.313093@hs.hsoworld.com [preprocess] expand: %{User-Name} -> 264247.313093@hs.hsoworld.com [preprocess] expand: %{User-Name} -> 264247.313093@hs.hsoworld.com [preprocess] expand: %{User-Name} -> 264247.313093@hs.hsoworld.com [preprocess] expand: %{User-Name} -> 264247.313093@hs.hsoworld.com [preprocess] expand: %{User-Name} -> 264247.313093@hs.hsoworld.com [preprocess] expand: %{User-Name} -> 264247.313093@hs.hsoworld.com [preprocess] expand: %{User-Name} -> 264247.313093@hs.hsoworld.com [preprocess] expand: %{User-Name} -> 264247.313093@hs.hsoworld.com [preprocess] expand: %{User-Name} -> 264247.313093@hs.hsoworld.com [preprocess] expand: %{User-Name} -> 264247.313093@hs.hsoworld.com [preprocess] expand: %{User-Name} -> 264247.313093@hs.hsoworld.com [preprocess] expand: %{User-Name} -> 264247.313093@hs.hsoworld.com [preprocess] expand: %{User-Name} -> 264247.313093@hs.hsoworld.com [preprocess] expand: %{User-Name} -> 264247.313093@hs.hsoworld.com [preprocess] expand: %{NAS-IP-Address} -> 217.196.224.5 ++[preprocess] = ok [chap] Setting 'Auth-Type := CHAP' ++[chap] = ok ++[mschap] = noop [suffix] Looking up realm "hs.hsoworld.com" for User-Name = "264247.313093@hs.hsoworld.com" [suffix] Found realm "hs.hsoworld.com" [suffix] Adding Stripped-User-Name = "264247.313093" [suffix] Adding Realm = "hs.hsoworld.com" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] No EAP-Message, not doing EAP ++[eap] = noop ++[unix] = notfound [files] users: Matched entry DEFAULT at line 425 ++[files] = ok [sql] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [sql] expand: %{Stripped-User-Name:-%{User-Name:-none}} -> 264247.313093 [sql] sql_set_user escaped user --> '264247.313093' rlm_sql (sql): Reserving sql socket id: 5 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '264247.313093' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '264247.313093' ORDER BY id [sql] expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM usergroup WHERE username = '264247.313093' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'hsodefault' ORDER BY id [sql] User found in group hsodefault [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'hsodefault' ORDER BY id rlm_sql (sql): Released sql socket id: 5 ++[sql] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = ok Found Auth-Type = CHAP # Executing group from file /etc/raddb/sites-enabled/default +group CHAP { [chap] login attempt by "264247.313093" with CHAP password [chap] Using clear text password "Gr03ven0r" for user 264247.313093 authentication. [chap] Password check failed ++[chap] = reject +} # group CHAP = reject Failed to authenticate the user. Login incorrect (rlm_chap: Wrong user password): [264247.313093@hs.hsoworld.com] (from client lns00.hex.uk port 21378 cli BBEU17129208) Using Post-Auth-Type REJECT # Executing group from file /etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> 264247.313093@hs.hsoworld.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated _____________________________________________________________________ This e-mail and all attachments have been scanned by the hSo virus scanning service powered by Symantec and no known viruses were detected.