Strange CHAP/PAP issue (Version 1.1.6)[sic!]
Hello all, I have a small (about 400 users) network based on pppoe with freeradius authentication. For the last few days I am trying to switch to CHAP authentication. I've made proper changes to radiusd.conf and pppoe-server to demand CHAP auth from users and here's what I get. Here's what we've got in the database : RADCHECK : TEST Cleartext-password := TEST987 TEST Auth-Type := CHAP TEST Password == TEST987 READREPLY: TEST Service-Type = Framed TEST Framed-Compression = Van-Jacobson-TCP-IP TEST Framed-MTU = 1492 TEST Framed-IP-Netmask = 255.255.255.0 TEST Framed-IP-Address = 10.100.2.156 TEST Framed-Protocol = ppp TEST Auth-Type := CHAP TEST Password == TEST987 And the error is : a) here's the fragment from the syslog : Sep 26 01:34:37 beta pppd[5311]: Connect: ppp44 <--> eth2 Sep 26 01:34:37 beta pppd[5311]: rc_avpair_new: unknown attribute 60 Sep 26 01:34:47 beta pppd[5311]: Peer TEST failed CHAP authentication b) And fragment from the radius debug mode : rad_recv: Access-Request packet from host 127.0.0.1:3458, id=144, length=88 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "TEST" CHAP-Password = 0xdf6fe5d7a573bff814452731ef01f044df Calling-Station-Id = "00:E0:91:14:52:C3" NAS-IP-Address = 127.0.0.1 NAS-Port = 8 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "attr_filter" returns noop for request 3 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" returns ok for request 3 radius_xlat: 'TEST' rlm_sql (sql): sql_set_user escaped user --> 'TEST' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'TEST' and access=1 ? ORDER BY id ' rlm_sql (sql): Reserving sql socket id: 1 radius_xlat: '' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'TEST' ORDER BY id ' radius_xlat: '' rlm_sql (sql): Released sql socket id: 1 modcall[authorize]: module "sql" returns ok for request 3 modcall: leaving group authorize (returns ok) for request 3 rad_check_password: Found Auth-Type CHAP auth: type "CHAP" Processing the authenticate section of radiusd.conf modcall: entering group CHAP for request 3 rlm_chap: login attempt by "TEST" with CHAP password rlm_chap: Using clear text password "TEST987" for user TEST authentication. rlm_chap: Password check failed modcall[authenticate]: module "chap" returns reject for request 3 modcall: leaving group CHAP (returns reject) for request 3 auth: Failed to validate the user. Login incorrect (rlm_chap: Wrong user password): [TEST/<CHAP-Password>] (from client localhost port 8 cli 00:E0:91:14:52:C3) Delaying request 3 for 1 seconds Finished request 3 Going to the next request -------------- Any ideas ? Thanks a lot for your time and HELP! regards WZ -- Pozdrawiam, Wojciech Ziniewicz Administrator Cebit
Wojciech Ziniewicz wrote:
For the last few days I am trying to switch to CHAP authentication. I've made proper changes to radiusd.conf and pppoe-server to demand CHAP auth from users and here's what I get.
Here's what we've got in the database :
RADCHECK :
TEST Cleartext-password := TEST987 TEST Auth-Type := CHAP TEST Password == TEST987
Delete the last two entries. They're wrong.
b) And fragment from the radius debug mode :
rad_recv: Access-Request packet from host 127.0.0.1:3458, id=144, length=88 ... User-Name = "TEST" CHAP-Password = 0xdf6fe5d7a573bff814452731ef01f044df ... rlm_chap: Using clear text password "TEST987" for user TEST authentication. rlm_chap: Password check failed
That should work. If it doesn't, odds are that the PPP client is broken. Alan DeKok.
Hi again! Now , after deleting theese lines : (
TEST Auth-Type := CHAP TEST Password == TEST987 )
I've got the following : rlm_sql (sql): No matching entry in the database for request from user [TEST] modcall[authorize]: module "sql" returns notfound for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type CHAP auth: type "CHAP" Processing the authenticate section of radiusd.conf modcall: entering group CHAP for request 0 rlm_chap: login attempt by "TEST" with CHAP password rlm_chap: Could not find clear text password for user TEST modcall[authenticate]: module "chap" returns invalid for request 0 modcall: leaving group CHAP (returns invalid) for request 0 Then after changing the operator to ":=" I've got again : rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type CHAP auth: type "CHAP" Processing the authenticate section of radiusd.conf modcall: entering group CHAP for request 0 rlm_chap: login attempt by "TEST" with CHAP password rlm_chap: Using clear text password "TEST987" for user TEST authentication. rlm_chap: Password check failed modcall[authenticate]: module "chap" returns reject for request 0 modcall: leaving group CHAP (returns reject) for request 0 auth: Failed to validate the user. Login incorrect (rlm_chap: Wrong user password): [TEST/<CHAP-Password>] (from client localhost port 8 cli 00:E0:91:14:52:C3) Delaying request 0 for 1 seconds THe pppoe client's are mainly windows XP , windows Vista, linux, 3com, cisco and netgear routers as well as the pppoe-server is residing locally on the same machine as freeradius (that stores everything in mysql on the other machine but that's not a clue) - none of them can authenticate so i cant'believe it's th broken ppp client . I've read FAQ,docs and list and have no other clues ... MAYBE the thing is that i have only TWO tables - racheck and radreply (without ragroups etc...) and modified sql.conf to use queries for radcheck and radreply ONLY... maybe this is the problem ? (but i cant see the relevant error message ) Regards and thank You for Your time. WZ Dnia Śr Września 26 2007, 2:01 am, Alan DeKok napisał(a):
Wojciech Ziniewicz wrote:
For the last few days I am trying to switch to CHAP authentication. I've made proper changes to radiusd.conf and pppoe-server to demand CHAP auth from users and here's what I get.
Here's what we've got in the database :
RADCHECK :
TEST Cleartext-password := TEST987 TEST Auth-Type := CHAP TEST Password == TEST987
Delete the last two entries. They're wrong.
b) And fragment from the radius debug mode :
rad_recv: Access-Request packet from host 127.0.0.1:3458, id=144, length=88 ... User-Name = "TEST" CHAP-Password = 0xdf6fe5d7a573bff814452731ef01f044df ... rlm_chap: Using clear text password "TEST987" for user TEST authentication. rlm_chap: Password check failed
That should work. If it doesn't, odds are that the PPP client is broken.
Alan DeKok.
-- Pozdrawiam, Wojciech Ziniewicz Administrator Cebit
Wojciech Ziniewicz wrote:
Now , after deleting theese lines : ... I've got the following :
rlm_sql (sql): No matching entry in the database for request from user [TEST] modcall[authorize]: module "sql" returns notfound for request 0
Then you did something else, or your configuration is NOT what you said it was.
Then after changing the operator to ":=" I've got again :
Which operator? The only entry you need is Cleartext-Password := "TEST..." 1) That's what you said you had 2) the operator is already ":=".
rlm_chap: Using clear text password "TEST987" for user TEST authentication. rlm_chap: Password check failed
See? Either the client is broken, OR the password you entered on the client isn't the same as the one you put into the DB.
THe pppoe client's are mainly windows XP , windows Vista, linux, 3com, cisco and netgear routers as well as the pppoe-server is residing locally on the same machine as freeradius (that stores everything in mysql on the other machine but that's not a clue) - none of them can authenticate so i cant'believe it's th broken ppp client .
No... the RADIUS client is broken. i.e. Maybe the PPPoE server. There have been a LOT of problems on this list which have been tracked down to broken PPPoE servers. Alan DeKok.
Unsubscribe Hi All, I am sorry I did a mistake (I did copy and past from someone's email) last week. I would like to say thank you all of you, particularly to Alan DeKok. Cheers John Wan
-----Original Message----- From: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, 26 September 2007 10:27 AM To: wojtek@cebit.com.pl; FreeRadius users mailing list Subject: Re: Strange CHAP/PAP issue (Version 1.1.6)[sic!]
Wojciech Ziniewicz wrote:
Now , after deleting theese lines : ... I've got the following :
rlm_sql (sql): No matching entry in the database for request from user [TEST] modcall[authorize]: module "sql" returns notfound for request 0
Then you did something else, or your configuration is NOT what you said it was.
Then after changing the operator to ":=" I've got again :
Which operator? The only entry you need is Cleartext-Password := "TEST..."
1) That's what you said you had 2) the operator is already ":=".
rlm_chap: Using clear text password "TEST987" for user TEST authentication. rlm_chap: Password check failed
See? Either the client is broken, OR the password you entered on the client isn't the same as the one you put into the DB.
THe pppoe client's are mainly windows XP , windows Vista, linux, 3com, cisco and netgear routers as well as the pppoe-server is residing locally on the same machine as freeradius (that stores everything in mysql on the other machine but that's not a clue) - none of them can authenticate so i cant'believe it's th broken ppp client .
No... the RADIUS client is broken. i.e. Maybe the PPPoE server.
There have been a LOT of problems on this list which have been tracked down to broken PPPoE servers.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- _______________________________________________________________________________ Notice from Melbourne Business School Ltd The information contained in this e-mail is confidential, and is intended for the named person's use only. It may contain proprietary or legally privileged information. If you have received this email in error, please notify the sender and delete it immediately. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient Internet communications are not secure. You should scan this message and any attachments for viruses. Melbourne Business School does not accept any liability for loss or damage which may result from receipt of this message or any attachments. ______________________________________________________________________________
Dnia Śr Września 26 2007, 2:26 am, Alan DeKok napisał(a):
Wojciech Ziniewicz wrote:
Now , after deleting theese lines : ... I've got the following :
rlm_sql (sql): No matching entry in the database for request from user [TEST] modcall[authorize]: module "sql" returns notfound for request 0
Then you did something else, or your configuration is NOT what you said it was.
Yeah , my mistake ;)
See? Either the client is broken, OR the password you entered on the client isn't the same as the one you put into the DB.
There have been a LOT of problems on this list which have been tracked down to broken PPPoE servers.
I am wondering - the only pppoe-server on linux that is free and most popular is rp-pppoe - i bet that at least 95% people use it and i know success stories with (whatever)-chap authentication on it. This is in fact the source of my frustration. Maybe i do something uncorrect with the operators ? or there are too few attributes/values in my radcheck/radreply ? As I understand for now - My client gives me the password md5'ed with the challenge , then my server compares the client's string with cleartext-password (not md5'ed with challenge) which is bad OR he does not show the md5'ed form of the cleartext-password.... I am going to try default config for freeradius, maybe this will help. Again, thank You for your help and time! regards WZ -- Pozdrawiam, Wojciech Ziniewicz Administrator Cebit
Wojciech Ziniewicz wrote:
Maybe i do something uncorrect with the operators ? or there are too few attributes/values in my radcheck/radreply ?
No.
As I understand for now - My client gives me the password md5'ed with the challenge , then my server compares the client's string with cleartext-password (not md5'ed with challenge)
No. The server hashes the cleartext password it has, and compares that to the hash supplied by the RADIUS client.
which is bad OR he does not show the md5'ed form of the cleartext-password....
I am going to try default config for freeradius, maybe this will help.
Try also with "ntradping", or another non-FreeRADIUS client. If CHAP works for those clients, then the CHAP code in PPPoE is broken. Alan DeKok.
Dnia Śr Września 26 2007, 11:57 am, Alan DeKok napisał(a):
Try also with "ntradping", or another non-FreeRADIUS client. If CHAP works for those clients, then the CHAP code in PPPoE is broken.
Alan DeKok.
Alan, probably you were right. Testing CHAP auth locally with ntradping (runs easily over wine ) succeeded ;/ . Here's what i have from my radiusd -X debug : rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module "sql" returns ok for request 2 modcall: leaving group authorize (returns ok) for request 2 rad_check_password: Found Auth-Type CHAP auth: type "CHAP" Processing the authenticate section of radiusd.conf modcall: entering group CHAP for request 2 rlm_chap: login attempt by "TEST" with CHAP password rlm_chap: Using clear text password "TEST987" for user TEST authentication. rlm_chap: chap user TEST authenticated succesfully modcall[authenticate]: module "chap" returns ok for request 2 modcall: leaving group CHAP (returns ok) for request 2 Login OK: [TEST/<CHAP-Password>] (from client localhost port 0) Sending Access-Accept of id 21 to 127.0.0.1 port 1854 Service-Type = Framed-User Framed-Compression = Van-Jacobson-TCP-IP Framed-MTU = 1400 Framed-IP-Netmask = 255.255.255.0 Framed-IP-Address = 10.100.2.156 Framed-Protocol = PPP Password == "TEST987" Finished request 2 Thank You very much. If i find out what is broken in pppoe server i will notify You. Thank You one more time. regards WZ -- Pozdrawiam, Wojciech Ziniewicz Administrator Cebit
Dnia Śr Września 26 2007, 2:51 pm, Wojciech Ziniewicz napisał(a):
Dnia Śr Września 26 2007, 11:57 am, Alan DeKok napisał(a):
Try also with "ntradping", or another non-FreeRADIUS client. If CHAP works for those clients, then the CHAP code in PPPoE is broken.
Alan DeKok.
Alan, probably you were right. Testing CHAP auth locally with ntradping (runs easily over wine ) succeeded ;/ .
Here's what i have from my radiusd -X debug :
rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module "sql" returns ok for request 2 modcall: leaving group authorize (returns ok) for request 2 rad_check_password: Found Auth-Type CHAP auth: type "CHAP" Processing the authenticate section of radiusd.conf modcall: entering group CHAP for request 2 rlm_chap: login attempt by "TEST" with CHAP password rlm_chap: Using clear text password "TEST987" for user TEST authentication. rlm_chap: chap user TEST authenticated succesfully modcall[authenticate]: module "chap" returns ok for request 2 modcall: leaving group CHAP (returns ok) for request 2 Login OK: [TEST/<CHAP-Password>] (from client localhost port 0) Sending Access-Accept of id 21 to 127.0.0.1 port 1854 Service-Type = Framed-User Framed-Compression = Van-Jacobson-TCP-IP Framed-MTU = 1400 Framed-IP-Netmask = 255.255.255.0 Framed-IP-Address = 10.100.2.156 Framed-Protocol = PPP Password == "TEST987" Finished request 2
Thank You very much. If i find out what is broken in pppoe server i will notify You. Thank You one more time.
The problem is solved. The freeradius dictionary differed from radiusclient dictionary . I ommited the "Sep 24 09:31:53 beta pppd[27534]: rc_avpair_new: unknown attribute 60" in my logs . Before : beta radiusclient # cat /etc/radiusclient/dictionary | grep CHAP ATTRIBUTE CHAP-Password 3 string After : beta radiusclient # cat /etc/radiusclient/dictionary | grep CHAP ATTRIBUTE CHAP-Password 3 string ATTRIBUTE CHAP-Challenge 60 string Solved - thank You once again Alan. regards. -- Pozdrawiam, Wojciech Ziniewicz Administrator Cebit
participants (3)
-
Alan DeKok -
John Wan -
Wojciech Ziniewicz