rlm_chap: Attribute "CHAP-Password" is required for authentication
Hi, everybody have been trying to solve the problem, but in vain. It is FR 2.0.2 FreeBSD 6.2-RELEASE-p1 When using radtest (or dial up access) there is no Attribute "CHAP-Password" and the user is not authenticated, however the same user is authenticated when connecting via VPN. What needs to be changed for dial-up to work? Would be grateful for any comments Thanks Slava Shkarupin Kiev, UA ++++++++++++++++++++++++++++++++++++++++++++++++++ This is -X radtest output for user Olga1 (dial-up attempt gives a similar result - user is rejected) rad_recv: Access-Request packet from host 127.0.0.1 port 59528, id=206, length=56 User-Name = "Olga1" User-Password = "akrd24bf" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 +- entering group authorize ++[preprocess] returns ok expand: %A/%{Client-IP-Address}/detail -> /opt/freeradius/2.0.2/var/log/radius/radacct/127.0.0.1/detail rlm_detail: %A/%{Client-IP-Address}/detail expands to /opt/freeradius/2.0.2/var/log/radius/radacct/127.0.0.1/detail expand: %t -> Sun Jul 6 13:07:03 2008 ++[auth_log] returns ok rlm_pam: pam_auth call. username: Olga1 username name: User-Name rlm_pam: received attribute:1. rlm_pam: received attribute:2. rlm_pam: received attribute:4. rlm_pam: received attribute:5. rlm_pam: cisco_voip_detection enabled data->chap_password=1,data->special_username=(null),user_name_buff=Olga1 rlm_pam: pam_pass: name = Olga1, passwd = (null) pam_pass: function pam_authenticate SUCCESS for <Olga1>. pam_pass: function pam_acct_mgmt SUCCESS for <Olga1>. pam_pass: received framed_ip_address <192.168.0.65/32> pam_pass: received nas_command <> pam_pass: received password for chap <akrd24bf> pam_pass: authentication result for <Olga1> is 0 rlm_pam: pam_pass return 0 (success). rlm_pam: received password for chap:akrd24bf rlm_pam: received password for chap in vp:akrd24bf ++[pam] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "Olga1", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop @@@@eap+aouthorize begin rlm_eap: No EAP-Message, not doing EAP @@@@eap+aouthorize returns NOOP ++[eap] returns noop ++[unix] returns notfound users: Matched entry DEFAULT at line 158 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type Chap !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type "CHAP" +- entering group CHAP rlm_chap: Attribute "CHAP-Password" is required for authentication. ++[chap] returns invalid auth: Failed to validate the user. Login incorrect: [Olga1/akrd24bf] (from client localhost port 1) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> Olga1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 10 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 10 Sending Access-Reject of id 206 to 127.0.0.1 port 59528 Waking up in 4.9 seconds. Cleaning up request 10 ID 206 with timestamp +1508 Ready to process requests. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ This is the real process of connecting through VPN with Radius in -X mode for the same user - user is authenticated rad_recv: Access-Request packet from host 127.0.0.1 port 52114, id=58, length=171 NAS-Identifier = "test-server-1.net.ua" Acct-Session-Id = "5338180-L-10" NAS-Port = 10 NAS-Port-Type = Virtual Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "10.1.0.250" NAS-Port-Id = "vlan310" User-Name = "Olga1" CHAP-Challenge = 0xbb1e68637b631b2b9ab0f56a0da47704dd3d76f1babbdcabcdec77f9b1fd0559e1b9bc5c CHAP-Password = 0x019220c41b166ec97be36327f0e0253d02 +- entering group authorize ++[preprocess] returns ok expand: %A/%{Client-IP-Address}/detail -> /opt/freeradius/2.0.2/var/log/radius/radacct/127.0.0.1/detail rlm_detail: %A/%{Client-IP-Address}/detail expands to /opt/freeradius/2.0.2/var/log/radius/radacct/127.0.0.1/detail expand: %t -> Sun Jul 6 12:56:20 2008 ++[auth_log] returns ok rlm_pam: pam_auth call. username: Olga1 username name: User-Name rlm_pam: received attribute:32. rlm_pam: received attribute:44. rlm_pam: received attribute:5. rlm_pam: received attribute:61. rlm_pam: received attribute:6. rlm_pam: received attribute:7. rlm_pam: received attribute:31. rlm_pam: received attribute:87. rlm_pam: received attribute:1. rlm_pam: received attribute:60. rlm_pam: received attribute:3. rlm_pam: received attribute:4. rlm_pam: cisco_voip_detection enabled data->chap_password=1,data->special_username=(null),user_name_buff=Olga1 rlm_pam: pam_pass: name = Olga1, passwd = (null) pam_pass: function pam_authenticate SUCCESS for <Olga1>. pam_pass: function pam_acct_mgmt SUCCESS for <Olga1>. pam_pass: received framed_ip_address <192.168.0.30/32> pam_pass: received nas_command <> pam_pass: received password for chap <akrd24bf> pam_pass: authentication result for <Olga1> is 0 rlm_pam: pam_pass return 0 (success). rlm_pam: received password for chap:akrd24bf rlm_pam: received password for chap in vp:akrd24bf ++[pam] returns ok rlm_chap: Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop rlm_realm: No '@' in User-Name = "Olga1", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop @@@@eap+aouthorize begin rlm_eap: No EAP-Message, not doing EAP @@@@eap+aouthorize returns NOOP ++[eap] returns noop ++[unix] returns notfound users: Matched entry DEFAULT at line 158 users: Matched entry DEFAULT at line 179 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type Chap !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type "CHAP" +- entering group CHAP rlm_chap: login attempt by "Olga1" with CHAP password rlm_chap: Using clear text password "akrd24bf" for user Olga1 authentication. rlm_chap: chap user Olga1 authenticated succesfully ++[chap] returns ok Login OK: [Olga1/<CHAP-Password>] (from client localhost port 10 cli 10.1.0.250) +- entering group post-auth expand: /opt/freeradius/2.0.2/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /opt/freeradius/2.0.2/var/log/radius/radacct/127.0.0.1/ reply-detail-20080706 rlm_detail: /opt/freeradius/2.0.2/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /opt/freeradius/2.0.2/var/log/radius/radacct/127.0.0.1/reply-detail-20080706 expand: %t -> Sun Jul 6 12:56:20 2008 ++[reply_log] returns ok Sending Access-Accept of id 58 to 127.0.0.1 port 52114 Framed-IP-Address = 192.168.0.30 Framed-IP-Netmask = 255.255.255.255 Framed-Protocol = PPP Service-Type = Framed-User Framed-Compression = Van-Jacobson-TCP-IP Finished request 2. Going to the next request Waking up in 0.9 seconds. Waking up in 4.0 seconds. Cleaning up request 2 ID 58 with timestamp +865 Ready to process requests.
Slava wrote:
When using radtest (or dial up access) there is no Attribute "CHAP-Password" and the user is not authenticated, however the same user is authenticated when connecting via VPN. What needs to be changed for dial-up to work?
Don't set Auth-Type := CHAP. i.e. use the default configuration files. Don't edit them to break the server.
rad_recv: Access-Request packet from host 127.0.0.1 port 59528, id=206, length=56 User-Name = "Olga1" User-Password = "akrd24bf" ... rad_check_password: Found Auth-Type Chap
The only way this happens is if you edited the default configuration files to break them. Don't do that. Maybe the PAM module is adding Auth-Type = CHAP. It looks like you've edited the source code to the PAM module, so all bets are off. The default configuration works. Don't break it. Alan DeKok.
participants (2)
-
Alan DeKok -
Slava