Strange Problem with chap.
Hello, I am using chilli-coova as hotspot and making its authentication via freeradius. I dont know if you have any experience with this software but, It has 2 kind of login pages. One is a cgi page with clean password, other is a java script making chap authentication. here is the problem. On freeradius i am using rlm_perl authentication for my users. When i use cgi page or radtest tool and send clean password, everything works flawless... But if i decide to use chap somthing strange happens.. If i type correct user/pass freeradus denies it.. But it i type the password wrong, freeradius accepts it.. Heres the debug for freeradius.. 7798-1 is with the right user/pass comination 7798 is the wrong user/pass combination rad_recv: Access-Request packet from host 139.179.14.250 port 33545, id=30, length=285 Vendor-14559-Attr-8 = 0x312e302e3131 User-Name = "7798-1" CHAP-Challenge = 0x091c2ecc9622c2b8072a20db2a85840e CHAP-Password = 0x001143a4c3f8a192f89b9ff9e7f6f85fe0 NAS-IP-Address = 192.168.182.1 Service-Type = Login-User Framed-IP-Address = 192.168.182.2 Calling-Station-Id = "00-14-22-A1-BB-AB" Called-Station-Id = "00-0E-0C-6E-6E-7C" NAS-Identifier = "nas01" Acct-Session-Id = "491944cd00000001" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 WISPr-Location-ID = "isocc=,cc=,ac=,network=Coova," WISPr-Location-Name = "My_HotSpot" WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff" Message-Authenticator = 0xcf009790c3d4d941242929020db19b43 server lojnet { +- entering group authorize ++[preprocess] returns ok users: Matched entry DEFAULT at line 72 ++[files] returns ok ++[control] returns ok perl_pool: item 0xbe7fd00 asigned new request. Handled so far: 1 found interpetator at address 0xbe7fd00 rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair CHAP-Password = 0x001143a4c3f8a192f89b9ff9e7f6f85fe0 rlm_perl: Added pair WISPr-Logoff-URL = http://192.168.182.1:3990/logoff rlm_perl: Added pair Acct-Session-Id = 491944cd00000001 rlm_perl: Added pair Service-Type = Login-User rlm_perl: Added pair Vendor-14559-Attr-8 = 0x312e302e3131 rlm_perl: Added pair Called-Station-Id = 00-0E-0C-6E-6E-7C rlm_perl: Added pair Message-Authenticator = 0xcf009790c3d4d941242929020db19b43 rlm_perl: Added pair CHAP-Challenge = 0x091c2ecc9622c2b8072a20db2a85840e rlm_perl: Added pair NAS-IP-Address = 192.168.182.1 rlm_perl: Added pair Calling-Station-Id = 00-14-22-A1-BB-AB rlm_perl: Added pair WISPr-Location-ID = isocc=,cc=,ac=,network=Coova, rlm_perl: Added pair User-Name = 7798-1 rlm_perl: Added pair NAS-Identifier = nas01 rlm_perl: Added pair Framed-IP-Address = 192.168.182.2 rlm_perl: Added pair NAS-Port = 1 rlm_perl: Added pair WISPr-Location-Name = My_HotSpot rlm_perl: Added pair Reply-Message = Unknown Username Or Password rlm_perl: Added pair Simultaneous-Use = 1 rlm_perl: Added pair Auth-Type = Perl perl_pool total/active/spare [32/0/32] Unreserve perl at address 0xbe7fd00 ++[perl_lojnet] returns reject Invalid user: [7798-1/<CHAP-Password>] (from client wireless-client port 1 cli 00-14-22-A1-BB-AB) } # server lojnet Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> 7798-1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 21 for 1 seconds Going to the next request Waking up in 0.7 seconds. Sending delayed reject for request 21 Sending Access-Reject of id 30 to 139.179.14.250 port 33545 Reply-Message = "Unknown Username Or Password" Waking up in 4.9 seconds. Cleaning up request 21 ID 30 with timestamp +1299 Ready to process requests. rad_recv: Access-Request packet from host 139.179.14.250 port 56290, id=34, length=283 Vendor-14559-Attr-8 = 0x312e302e3131 User-Name = "7798" CHAP-Challenge = 0xf5a327d969a14458fc8e232dc2b2dd0e CHAP-Password = 0x00754c55931928ae23c86ffc791482d963 NAS-IP-Address = 192.168.182.1 Service-Type = Login-User Framed-IP-Address = 192.168.182.2 Calling-Station-Id = "00-14-22-A1-BB-AB" Called-Station-Id = "00-0E-0C-6E-6E-7C" NAS-Identifier = "nas01" Acct-Session-Id = "491944cd00000001" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 WISPr-Location-ID = "isocc=,cc=,ac=,network=Coova," WISPr-Location-Name = "My_HotSpot" WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff" Message-Authenticator = 0x8ccc91235f97010a7c09802979e2cdea server lojnet { +- entering group authorize ++[preprocess] returns ok users: Matched entry DEFAULT at line 72 ++[files] returns ok ++[control] returns ok perl_pool: item 0xc1dfb10 asigned new request. Handled so far: 1 found interpetator at address 0xc1dfb10 rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair CHAP-Password = 0x00754c55931928ae23c86ffc791482d963 rlm_perl: Added pair WISPr-Logoff-URL = http://192.168.182.1:3990/logoff rlm_perl: Added pair Acct-Session-Id = 491944cd00000001 rlm_perl: Added pair Service-Type = Login-User rlm_perl: Added pair Vendor-14559-Attr-8 = 0x312e302e3131 rlm_perl: Added pair Called-Station-Id = 00-0E-0C-6E-6E-7C rlm_perl: Added pair Message-Authenticator = 0x8ccc91235f97010a7c09802979e2cdea rlm_perl: Added pair CHAP-Challenge = 0xf5a327d969a14458fc8e232dc2b2dd0e rlm_perl: Added pair NAS-IP-Address = 192.168.182.1 rlm_perl: Added pair Calling-Station-Id = 00-14-22-A1-BB-AB rlm_perl: Added pair WISPr-Location-ID = isocc=,cc=,ac=,network=Coova, rlm_perl: Added pair User-Name = 7798 rlm_perl: Added pair NAS-Identifier = nas01 rlm_perl: Added pair Framed-IP-Address = 192.168.182.2 rlm_perl: Added pair NAS-Port = 1 rlm_perl: Added pair WISPr-Location-Name = My_HotSpot rlm_perl: Added pair Simultaneous-Use = 1 rlm_perl: Added pair Auth-Type = Perl perl_pool total/active/spare [32/0/32] Unreserve perl at address 0xc1dfb10 ++[perl_lojnet] returns ok rad_check_password: Found Auth-Type Perl auth: type "Perl" +- entering group Perl perl_pool: item 0xc53f920 asigned new request. Handled so far: 1 found interpetator at address 0xc53f920 rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair CHAP-Password = 0x00754c55931928ae23c86ffc791482d963 rlm_perl: Added pair Acct-Session-Id = 491944cd00000001 rlm_perl: Added pair WISPr-Logoff-URL = http://192.168.182.1:3990/logoff rlm_perl: Added pair Service-Type = Login-User rlm_perl: Added pair Vendor-14559-Attr-8 = 0x312e302e3131 rlm_perl: Added pair Called-Station-Id = 00-0E-0C-6E-6E-7C rlm_perl: Added pair Message-Authenticator = 0x8ccc91235f97010a7c09802979e2cdea rlm_perl: Added pair CHAP-Challenge = 0xf5a327d969a14458fc8e232dc2b2dd0e rlm_perl: Added pair NAS-IP-Address = 192.168.182.1 rlm_perl: Added pair Calling-Station-Id = 00-14-22-A1-BB-AB rlm_perl: Added pair WISPr-Location-ID = isocc=,cc=,ac=,network=Coova, rlm_perl: Added pair User-Name = 7798 rlm_perl: Added pair NAS-Identifier = nas01 rlm_perl: Added pair Framed-IP-Address = 192.168.182.2 rlm_perl: Added pair NAS-Port = 1 rlm_perl: Added pair WISPr-Location-Name = My_HotSpot rlm_perl: Added pair Acct-Interim-Interval = 60 rlm_perl: Added pair WISPr-Bandwidth-Max-Up = 25600000 rlm_perl: Added pair WISPr-Bandwidth-Max-Down = 100000000 rlm_perl: Added pair Simultaneous-Use = 1 rlm_perl: Added pair Auth-Type = Perl perl_pool total/active/spare [32/0/32] Unreserve perl at address 0xc53f920 ++[perl_lojnet] returns ok +- entering group session ++[sql_lojnet] returns noop Login OK: [7798/<CHAP-Password>] (from client wireless-client port 1 cli 00-14-22-A1-BB-AB) +- entering group post-auth ++[exec] returns noop } # server lojnet Sending Access-Accept of id 34 to 139.179.14.250 port 56290
I am using chilli-coova as hotspot and making its authentication via freeradius. I dont know if you have any experience with this software but, It has 2 kind of login pages. One is a cgi page with clean password, other is a java script making chap authentication.
here is the problem. On freeradius i am using rlm_perl authentication for my users. When i use cgi page or radtest tool and send clean password, everything works flawless... But if i decide to use chap somthing strange happens.. If i type correct user/pass freeradus denies it.. But it i type the password wrong, freeradius accepts it..
No. If you type correct user/pass your perl script rejects it (sub authorize). But if you type the password wrong your perl script accepts it. Ivan Kalik Kalik Informatika ISP
I am using chilli-coova as hotspot and making its authentication via freeradius. I dont know if you have any experience with this software but, It has 2 kind of login pages. One is a cgi page with clean password, other is a java script making chap authentication.
here is the problem. On freeradius i am using rlm_perl authentication for my users. When i use cgi page or radtest tool and send clean password, everything works flawless... But if i decide to use chap somthing strange happens.. If i type correct user/pass freeradus denies it.. But it i type the password wrong, freeradius accepts it..
No. If you type correct user/pass your perl script rejects it (sub authorize). But if you type the password wrong your perl script accepts it.
Ivan Kalik Kalik Informatika ISP
So ? Couldnt get it..Sorry.. Does freeradius not accept rlm_perl type authentication when it gets a chap-type auth request? Even if i didnt add it to the virtualserver config. Is there a solution except changing my clients auth type from chap to clear-text? My virtual server config as follows.. server lojnet { authorize { preprocess files update control { Auth-Type := perl } perl_lojnet } authenticate { Auth-Type Perl { perl_lojnet } } preacct { acct_unique files } accounting { detail unix sql_lojnet } session { sql_lojnet } post-auth { exec Post-Auth-Type REJECT { attr_filter.access_reject } } }
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I am using chilli-coova as hotspot and making its authentication via freeradius. I dont know if you have any experience with this software but, It has 2 kind of login pages. One is a cgi page with clean password, other is a java script making chap authentication.
here is the problem. On freeradius i am using rlm_perl authentication for my users. When i use cgi page or radtest tool and send clean password, everything works flawless... But if i decide to use chap somthing strange happens.. If i type correct user/pass freeradus denies it.. But it i type the password wrong, freeradius accepts it..
No. If you type correct user/pass your perl script rejects it (sub authorize). But if you type the password wrong your perl script accepts it.
Ivan Kalik Kalik Informatika ISP
So ? Couldnt get it..Sorry..
Does freeradius not accept rlm_perl type authentication when it gets a chap-type auth request? Even if i didnt add it to the virtualserver config.
Freeradius is working fine. Your perl script isn't.
Is there a solution except changing my clients auth type from chap to clear-text?
Fix the script. If you don't know how to authenticate chap in perl - then don't do it. Enable chap in authorize and authenticate and pass the cleartext password to freeradius. Ivan Kalik Kalik Informatika ISP
participants (2)
-
Oguzhan Kayhan -
tnt@kalik.net