Hi All We are getting seemingly random CHAP authentication issues. These are known good passwords configured on test routers, however we still get the same authentication failed. Has anyone else seen such things? A debug output for one such request is here. The password that the module pulls out to compare against is 100% what we are using. rad_recv: Access-Request packet from host 217.196.224.5 port 1645, id=92, length=148 Framed-Protocol = PPP User-Name = "264247.313093@hs.hsoworld.com" CHAP-Password = 0x022714dafa245ec52463c2afc25ea7dbe2 Calling-Station-Id = "BBEU17129208" Connect-Info = "6631000/444000" NAS-Port-Type = ISDN NAS-Port = 21378 NAS-Port-Id = "Uniq-Sess-ID1378" Service-Type = Framed-User NAS-IP-Address = 217.196.224.5 # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { [preprocess] expand: %{User-Name} -> 264247.313093@hs.hsoworld.com [preprocess] expand: %{User-Name} -> 264247.313093@hs.hsoworld.com [preprocess] expand: %{User-Name} -> 264247.313093@hs.hsoworld.com [preprocess] expand: %{User-Name} -> 264247.313093@hs.hsoworld.com [preprocess] expand: %{User-Name} -> 264247.313093@hs.hsoworld.com [preprocess] expand: %{User-Name} -> 264247.313093@hs.hsoworld.com [preprocess] expand: %{User-Name} -> 264247.313093@hs.hsoworld.com [preprocess] expand: %{User-Name} -> 264247.313093@hs.hsoworld.com [preprocess] expand: %{User-Name} -> 264247.313093@hs.hsoworld.com [preprocess] expand: %{User-Name} -> 264247.313093@hs.hsoworld.com [preprocess] expand: %{User-Name} -> 264247.313093@hs.hsoworld.com [preprocess] expand: %{User-Name} -> 264247.313093@hs.hsoworld.com [preprocess] expand: %{User-Name} -> 264247.313093@hs.hsoworld.com [preprocess] expand: %{User-Name} -> 264247.313093@hs.hsoworld.com [preprocess] expand: %{User-Name} -> 264247.313093@hs.hsoworld.com [preprocess] expand: %{NAS-IP-Address} -> 217.196.224.5 ++[preprocess] = ok [chap] Setting 'Auth-Type := CHAP' ++[chap] = ok ++[mschap] = noop [suffix] Looking up realm "hs.hsoworld.com" for User-Name = "264247.313093@hs.hsoworld.com" [suffix] Found realm "hs.hsoworld.com" [suffix] Adding Stripped-User-Name = "264247.313093" [suffix] Adding Realm = "hs.hsoworld.com" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] No EAP-Message, not doing EAP ++[eap] = noop ++[unix] = notfound [files] users: Matched entry DEFAULT at line 425 ++[files] = ok [sql] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [sql] expand: %{Stripped-User-Name:-%{User-Name:-none}} -> 264247.313093 [sql] sql_set_user escaped user --> '264247.313093' rlm_sql (sql): Reserving sql socket id: 5 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '264247.313093' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '264247.313093' ORDER BY id [sql] expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM usergroup WHERE username = '264247.313093' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'hsodefault' ORDER BY id [sql] User found in group hsodefault [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'hsodefault' ORDER BY id rlm_sql (sql): Released sql socket id: 5 ++[sql] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = ok Found Auth-Type = CHAP # Executing group from file /etc/raddb/sites-enabled/default +group CHAP { [chap] login attempt by "264247.313093" with CHAP password [chap] Using clear text password "Gr03ven0r" for user 264247.313093 authentication. [chap] Password check failed ++[chap] = reject +} # group CHAP = reject Failed to authenticate the user. Login incorrect (rlm_chap: Wrong user password): [264247.313093@hs.hsoworld.com] (from client lns00.hex.uk port 21378 cli BBEU17129208) Using Post-Auth-Type REJECT # Executing group from file /etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> 264247.313093@hs.hsoworld.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated _____________________________________________________________________ This e-mail and all attachments have been scanned by the hSo virus scanning service powered by Symantec and no known viruses were detected.
On Feb 9, 2015, at 5:24 AM, Dan Goscomb <Dan.Goscomb@hso.co.uk> wrote:
We are getting seemingly random CHAP authentication issues. These are known good passwords configured on test routers, however we still get the same authentication failed. Has anyone else seen such things?
Yes. The router / NAS is broken. Throw it in the garbage and get one that works. Alan DeKok.
Yes. The router / NAS is broken. Throw it in the garbage and get one that works.
This what I feared... has anyone seen particular issues with Cisco 7200 NAS and/or Zyxel DSL CPE? _____________________________________________________________________ This e-mail and all attachments have been scanned by the hSo virus scanning service powered by Symantec and no known viruses were detected.
On 09.02.2015 17:21, Dan Goscomb wrote:
This what I feared... has anyone seen particular issues with Cisco 7200 NAS and/or Zyxel DSL CPE?
You should be able to debug the issue down. Turn on RADIUS debug and PPP CHAP debug on Cisco 7200. CHAP Challenge sent from Cisco 7200 to CPE should later be sent in RADIUS packet from Cisco 7200 to RADIUS server (in message header Authenticator field). CHAP Response sent from CPE to Cisco 7200 should later be sent in RADIUS packet from Cisco 7200 to RADIUS server (in CHAP-Password attribute). If RADIUS packet contains something different then Cisco 7200 is broken. Otherwise the CPE is broken.
participants (3)
-
Alan DeKok -
Dan Goscomb -
Iliya Peregoudov