Good evening Alan, I verified that by setting debug level to 3, the password chap control mechanism, with CHAP Challenge above 48 bytes, does not work properly. CHAP-Challenge 120 Byte (0) Received Access-Request Id 53 from 192.168.219.1:51447 to 192.168.219.131:1812 length 112 (0) User-Name = "bob" (0) CHAP-Password = 0xa022e9432b6f504f46a26c930b6ca07315 (0) NAS-Port-Type = Ethernet (0) CHAP-Challenge = 0x626f626764686a73676467736a677361676a68736468616a68616a68736a73736b6b73736b736b736b6461736a64616a353633337437337565373274 ... (0) Auth-Type CHAP { (0) modsingle[authenticate]: calling chap (rlm_chap) (0) chap: Comparing with "known good" &control:Cleartext-Password value "hello" (0) chap: Using challenge from &request:CHAP-Challenge (0) chap: CHAP challenge : 626f626764686a73676467736a677361676a68736468616a68616a68736a73736b6b73736b736b736b6461736a64616a353633337437337565373274 (0) chap: Client sent : 22e9432b6f504f46a26c930b6ca07315 (0) chap: We calculated : 38363136613638373336613733373336 (0) chap: ERROR: Password comparison failed: password is incorrect (0) modsingle[authenticate]: returned from chap (rlm_chap) (0) [chap] = reject (0) } # Auth-Type CHAP = reject By lowering the debug level to 2 or lower, everything works fine. (0) Received Access-Request Id 54 from 192.168.219.1:51511 to 192.168.219.131:1812 length 112 (0) User-Name = "bob" (0) CHAP-Password = 0xb696491421f5afde906b79189d9d805c15 (0) NAS-Port-Type = Ethernet (0) CHAP-Challenge = 0x626f626764686a73676467736a677361676a68736468616a68616a68736a73736b6b73736b736b736b6461736a64616a353633337437337565373274 ... (0) Auth-Type CHAP { (0) chap: Comparing with "known good" Cleartext-Password (0) chap: CHAP user "bob" authenticated successfully (0) [chap] = ok (0) } # Auth-Type CHAP = ok Best Regards Andrea ________________________________ Da: Freeradius-Users <freeradius-users-bounces+andrea.mucci=outlook.com@lists.freeradius.org> per conto di Alan DeKok <aland@deployingradius.com> Inviato: venerdì 21 settembre 2018 19:14 A: FreeRadius users mailing list Cc: luciana.coppola@hpe.com Oggetto: Re: Issue with Chap Auth - freeradius v3.0.16 on RHEL 7.4 On Sep 21, 2018, at 12:42 PM, Andrea Mucci <andrea.mucci@outlook.com> wrote:
Hi All.
I have an issue on Chap Authentication Request. It seems that if CHAPChallenge size is longer than 48 bytes, Freeradius sends an Access Reject.
It works for me with the v3.0.x head. And that code hasn't changed for a long time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html