Thanks Fajar

I tried with the suggestions and using RadiusTest client from Radutils.


debug output is given below. Pls suggest what is wrong here?



+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: ../etc/raddb/proxy.conf
Config:   including file: ../etc/raddb/clients.conf
Config:   including file: ../etc/raddb/snmp.conf
Config:   including file: ../etc/raddb/eap.conf
Config:   including file: ../etc/raddb/sql.conf
 main: prefix = ".."
 main: localstatedir = "../var"
 main: logdir = "../var/log/radius"
 main: libdir = "../lib"
 main: radacctdir = "../var/log/radius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = yes
 main: log_file = "../var/log/radius/radius.log"
 main: log_auth = yes
 main: log_auth_badpass = yes
 main: log_auth_goodpass = yes
 main: pidfile = "../var/run/radiusd/radiusd.pid"
 main: user = "(null)"
 main: group = "(null)"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "../sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = no
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is ../lib
Module: Loaded exec
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = "crypt"
 pap: auto_header = yes
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: with_ntdomain_hack = no
 mschap: passwd = "(null)"
 mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
 unix: cache = no
 unix: passwd = "(null)"
 unix: shadow = "(null)"
 unix: group = "(null)"
 unix: radwtmp = "../var/log/radius/radwtmp"
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
 eap: default_eap_type = "tls"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = "Password: "
 gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
 tls: rsa_key_exchange = no
 tls: dh_key_exchange = yes
 tls: rsa_key_length = 512
 tls: dh_key_length = 512
 tls: verify_depth = 0
 tls: CA_path = "(null)"
 tls: pem_file_type = yes
 tls: private_key_file = "../etc/raddb/certs/FreeRADIUS.net/DemoCerts/FreeRADIUS
.net-Server.pem"
 tls: certificate_file = "../etc/raddb/certs/FreeRADIUS.net/DemoCerts/FreeRADIUS
.net-Server.crt"
 tls: CA_file = "../etc/raddb/certs/FreeRADIUS.net/DemoCerts/FreeRADIUS.net-CA.c
rt"
 tls: private_key_password = "demo"
 tls: dh_file = "../etc/raddb/certs/FreeRADIUS.net/DemoCerts/dh"
 tls: random_file = "../etc/raddb/certs/FreeRADIUS.net/DemoCerts/random"
 tls: fragment_size = 1024
 tls: include_length = yes
 tls: check_crl = no
 tls: check_cert_cn = "%{User-Name}"
 tls: cipher_list = "(null)"
 tls: check_cert_issuer = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
WARNING: rlm_eap_tls: Unable to set DH parameters.  DH cipher suites may not wor
k!
WARNING: Fix this by running the OpenSSL command listed in eap.conf
rlm_eap: Loaded and initialized type tls
 ttls: default_eap_type = "md5"
 ttls: copy_request_to_tunnel = no
 ttls: use_tunneled_reply = yes
rlm_eap: Loaded and initialized type ttls
 peap: default_eap_type = "mschapv2"
 peap: copy_request_to_tunnel = no
 peap: use_tunneled_reply = no
 peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
 mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
 preprocess: huntgroups = "../etc/raddb/huntgroups"
 preprocess: hints = "../etc/raddb/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
 preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded detail
 detail: detailfile = "../var/log/radius/radacct/%{Client-IP-Address}/auth-detai
l-%Y%m%d.log"
 detail: detailperm = 511
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (auth_log)
Module: Loaded realm
 realm: format = "suffix"
 realm: delimiter = "@"
 realm: ignore_default = no
 realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
 files: usersfile = "../etc/raddb/users"
 files: acctusersfile = "../etc/raddb/acct_users"
 files: preproxy_usersfile = "../etc/raddb/preproxy_users"
 files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
 acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Addre
ss, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
 detail: detailfile = "../var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%
m%d.log"
 detail: detailperm = 511
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded Counter
 counter: filename = "../etc/raddb/db.daily"
 counter: key = "User-Name"
 counter: reset = "daily"
 counter: count-attribute = "Acct-Session-Time"
 counter: counter-name = "Daily-Session-Time"
 counter: check-name = "Max-Daily-Session"
 counter: allowed-servicetype = "Framed-User"
 counter: cache-size = 5000
rlm_counter: Counter attribute Daily-Session-Time is number 1830
rlm_counter: Current Time: 1369651200 [2013-05-27 16:10:00], Next reset 13696794
00 [2013-05-28 00:00:00]
Module: Instantiated counter (daily)
Module: Loaded radutmp
 radutmp: filename = "../var/log/radius/radutmp"
 radutmp: username = "%{User-Name}"
 radutmp: case_sensitive = yes
 radutmp: check_with_nas = yes
 radutmp: perm = 511
 radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
 detail: detailfile = "../var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-
detail-%Y%m%d.log"
 detail: detailperm = 511
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (pre_proxy_log)
 detail: detailfile = "../var/log/radius/radacct/%{Client-IP-Address}/post-proxy
-detail-%Y%m%d.log"
 detail: detailperm = 511
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (post_proxy_log)
 detail: detailfile = "../var/log/radius/radacct/%{Client-IP-Address}/reply-deta
il-%Y%m%d.log"
 detail: detailperm = 511
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (reply_log)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:2308, id=119, length=46
        User-Name = "test1"
        CHAP-Password = 0x77d3c05edbcc4f08fa677f7c829d1592ba
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:  '../var/log/radius/radacct/127.0.0.1/auth-detail-20130527.log'
rlm_detail: ../var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d.lo
g expands to ../var/log/radius/radacct/127.0.0.1/auth-detail-20130527.log
  modcall[authorize]: module "auth_log" returns ok for request 0
  rlm_chap: Setting 'Auth-Type := CHAP'
  modcall[authorize]: module "chap" returns ok for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "test1", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
    users: Matched entry DEFAULT at line 170
  modcall[authorize]: module "files" returns ok for request 0
rlm_pap: WARNING! No "known good" password found for the user.  Authentication m
ay fail because of this.
  modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
  rad_check_password:  Found Auth-Type CHAP
auth: type "CHAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group CHAP for request 0
  rlm_chap: login attempt by "test1" with CHAP password
  rlm_chap: Could not find clear text password for user test1
  modcall[authenticate]: module "chap" returns invalid for request 0
modcall: leaving group CHAP (returns invalid) for request 0
auth: Failed to validate the user.
Login incorrect (rlm_chap: Clear text password not available): [test1/<CHAP-Pass
word>] (from client localhost port 0)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 119 to 127.0.0.1 port 2308
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 119 with timestamp 51a338b1
Nothing to do.  Sleeping until we see a request.





On Mon, May 27, 2013 at 3:39 PM, Fajar A. Nugraha <list@fajar.net> wrote:
On Mon, May 27, 2013 at 4:48 PM, Navodit Bhardwaj
<navodit.bhardwaj@gmail.com> wrote:
> Hi
>
> Can someone guide me how to set CHAP only authentication.

Why?

>
> I am using following entry in my users.conf
>
>
> username                Auth-Type := Local, Password := password
>                  Fall-Through = Yes
>

In most cases you will NOT need Auth-Type := Local. Remove that.

>
>
> Can someone help me with detail steps for configuring CHAP

If you don't edit anything else, you should be to use PAP, CHAP, and
MSCHAPv2 out of the box, and test it with "radtest" from localhost. To
add more NAS you can edit clients.conf. See
http://wiki.freeradius.org/guide/Basic-configuration-HOWTO

--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



--
br,
Navodit Bhardwaj
Hughes Systique Corporation