Hello all, I'm troubleshooting a new cell modem authentication attempt. Previous cell modems from the same company work fine, but these new cell modem are having an issues authenticating via CHAP even though the username and password are correct and radcheck and ntradping work just fine. We're thinking it might have to do with the CHAP challenge length that gets sent by these new modems, or more specifically, the new radio module in them. From packet captures, the same length gets sent every time (59), but fails with the [chap] Password check failed ++[chap] returns reject every time. Successful attempts from other modems have varying length up to 50 from what I've seen. Is there a higher level of debug I can turn on to see what CHAP is failing even though the correct username and password are being supplied or is there a CHAP setting somewhere specifies maximum challenge length? I'm told these modems were successfully tested against a Juniper RADIUS server. Below is the debug output and my freeradius version. Any help would be greatly appreciated. Thanks! +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "mktest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> mktest [sql] sql_set_user escaped user --> 'mktest' rlm_sql (sql): Reserving sql socket id: 9 [sql] expand: SELECT id, UserName, chk_Attribute, password, chk_op FROM modemAuth WHERE UserName = '%{SQL-User-Name}' and status='active' ORDER BY id -> SELECT id, UserName, chk_Attribute, password, chk_op FROM modemAuth WHERE UserName = 'mktest' and status='active' ORDER BY id rlm_sql_mysql: query: SELECT id, UserName, chk_Attribute, password, chk_op FROM modemAuth WHERE UserName = 'mktest' and status='active' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, UserName, rpl_Attribute, IP, rpl_op FROM modemAuth WHERE UserName = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, rpl_Attribute, IP, rpl_op FROM modemAuth WHERE UserName = 'mktest' ORDER BY id rlm_sql_mysql: query: SELECT id, UserName, rpl_Attribute, IP, rpl_op FROM modemAuth WHERE UserName = 'mktest' ORDER BY id rlm_sql (sql): Released sql socket id: 9 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = CHAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group CHAP {...} [chap] login attempt by "mktest" with CHAP password [chap] Using clear text password "1234567" for user mktest authentication. [chap] Password check failed ++[chap] returns reject Failed to authenticate the user. Login incorrect (rlm_chap: Wrong user password): [mktest/<CHAP-Password>] (from client modemAuth port 60000 cli xxxxxxxxxxx) Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [sql] expand: %{User-Name} -> mktest [sql] sql_set_user escaped user --> 'mktest' [sql] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [sql] ... expanding second conditional [sql] expand: Chap-Password -> Chap-Password [sql] expand: INSERT into radpostauth (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW()) -> INSERT into radpostauth (id, user, pass, reply, date) values ('', 'mktest', 'Chap-Password', 'Access-Reject', NOW()) [sql] expand: /data/radius/radsqltrace.sql -> /data/radius/radsqltrace.sql rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user, pass, reply, date) values ('', 'mktest', 'Chap-Password', 'Access-Reject', NOW()) rlm_sql (sql): Reserving sql socket id: 8 rlm_sql_mysql: query: INSERT into radpostauth (id, user, pass, reply, date) values ('', 'mktest', 'Chap-Password', 'Access-Reject', NOW()) rlm_sql (sql): Released sql socket id: 8 ++[sql] returns ok [attr_filter.access_reject] expand: %{User-Name} -> mktest attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 83 to 166.185.13.111 port 1645 Waking up in 4.9 seconds. rpm -qi freeradius2 Name : freeradius2 Relocations: (not relocatable) Version : 2.1.12 Vendor: CentOS Release : 3.el5 Build Date: Wed 22 Feb 2012 08:08:30 PM UTC Install Date: Mon 19 Mar 2012 07:05:05 PM UTC Build Host: builder10.centos.org Group : System Environment/Daemons Source RPM: freeradius2-2.1.12-3.el5.src.rpm Size : 5873621 License: GPLv2+ and LGPLv2+ Signature : DSA/SHA1, Wed 22 Feb 2012 08:22:13 PM UTC, Key ID a8a447dce8562897 URL : http://www.freeradius.org/ Summary : High-performance and highly configurable free RADIUS server [root@RADIUS ~]# radtest -t chap mktest 1234567 localhost 0 testing123 Sending Access-Request of id 156 to 127.0.0.1 port 1812 User-Name = "mktest" CHAP-Password = 0x9c87f965b84313794308aa6e7dac569e08 NAS-IP-Address = 192.168.149.201 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=156, length=26 Framed-IP-Address = 10.130.0.35