Joseph Showalter wrote:
# freeradius -v freeradius: FreeRADIUS Version 2.1.12
<sigh> I wish vendors would use a recent version.
We have a puzzling issue with CHAP Authentication:
Using radtest like this works:
radtest -d /etc/freeradius/ -t chap "6064191000@ev.myawi.com" "6D464023735E40604457225169645C69" 127.0.0.1 1812 xxxxxx
It uses the same library as the server. So that isn't much of a test.
But when a real live device request comes in, it fails:
This should be allowed but is rejected: Using md5 hashing, we have confirmed that it is accurate:
What does that mean? The CHAP algorithm requires specific steps done in a specific order. Are you sure you did them all correctly? What values did you use?
Apr 10 15:24:22 2014 : Info: [chap] Using clear text password "325C7727326B6176362A324754623247" for user 6064191000@ev.myawi.com authentication. Thu Apr 10 15:24:22 2014 : Info: [chap] Password check failed
That's pretty definitive. You can believe (a) FreeRADIUS is wrong, and therefore millions of people can't use CHAP, or (b) the vendor got it wrong, or (c) you mis-typed the password on one or both ends. (c) is most likely. (b) much less so. (a) is almost impossible. I've seen vendors get basic RADIUS concepts wrong, and take years to fix them. But FreeRADIUS works with thousands of vendors equipment, for hundreds of millions of users, every single day. It's pretty much impossible for it to get the CHAP calculation wrong. I tried your packet as a test case with radclient: # file "chap" User-Name = "6064191000@ev.myawi.com" CHAP-Password = 0xa7737618eb2d4f46a3945215a989923560 CHAP-Challenge = 0x5072685c0183c07d006ff00c160671a0 $ /radclient -d ../../share/ -f chap -xx localhost auth testing123 And version 3 says (after some minor editing of output) chap : Login attempt by "6064191000@ev.myawi.com" with CHAP password chap : Comparing with "known good" Cleartext-Password "6D464023735E40604457225169645C69" chap : chap challenge dbad48a07b45dc16a42806283bfa3432 chap : client sent b39a3d7fb573cdf16e506df74cd4cbe0 chap : we calculated a7487911f7f12c921538b4af618f6396 chap : Password is comparison failed: password is incorrect It doesn't match. So the passwords are wrong, or the vendor doesn't calculate the CHAP-Password correctly. And WHY is everyone so quick to publicly blame FreeRADIUS, but then keep the vendors name a secret? WHICH vendor is it? What equipment? Make, model firmware? All that could be helpful. Alan DeKok.