Chap password failing with Cisco
All- I am trying to get freeradius to authenticate chap for a ISDN backup call on a cisco. I am running version 1.0.1. I am in control of server and clients, so I know the passwords match, but the logs say they do not. Router setup: username ie_phx2 password 0 password users file: ie_phx2 Password == "password" Service-Type = Framed, Framed-Protocol = ppp, Cisco-Avpair += "multilink:max-links=6", Cisco-Avpair += "multilink:min-links=1", Cisco-Avpair += "multilink:load-threshhold=192", Cisco-Avpair += "lcp:interface-config=ip vrf forwarding VPDN-1444-ISDNBackup", Cisco-Avpair += "lcp:interface-config=ip unnumbered loop144", Cisco-Avpair += "lcp:send-secret=password" log: rad_recv: Access-Request packet from host XX.XX.XX.XX:1645, id=0, length=91 Framed-Protocol = PPP User-Name = "ie_phx2" CHAP-Password = 0x1906c1e965a82a39db372abde8f7455ee6 NAS-Port = 1 NAS-Port-Type = Virtual Called-Station-Id = "04082415687" Service-Type = Framed-User NAS-IP-Address = XX.XX.XX.XX Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module "preprocess" returns ok for request 9 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" returns ok for request 9 modcall[authorize]: module "mschap" returns noop for request 9 rlm_realm: No '@' in User-Name = "ie_phx2", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 9 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 9 users: Matched ie_phx2 at 147 modcall[authorize]: module "files" returns ok for request 9 modcall: group authorize returns ok for request 9 rad_check_password: Found Auth-Type CHAP auth: type "CHAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 9 rlm_chap: login attempt by "ie_phx2" with CHAP password rlm_chap: Using clear text password password for user ie_phx2 authentication. rlm_chap: Pasword check failed modcall[authenticate]: module "chap" returns reject for request 9 modcall: group Auth-Type returns reject for request 9 auth: Failed to validate the user. Login incorrect (rlm_chap: Wrong user password): [ie_phx2/<CHAP-Password>] (from client c pe2.pop2 port 1) Delaying request 9 for 1 seconds Finished request 9 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 8 ID 38 with timestamp 42c333c5 Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to XX.XX.XX.XX:1645 Cisco-AVPair += "multilink:max-links=6" Cisco-AVPair += "multilink:min-links=1" Cisco-AVPair += "multilink:load-threshhold=192" Cisco-AVPair += "lcp:interface-config=ip vrf forwarding VPDN-1444-ISDNBackup\n ip unnumbered loop144" Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 9 ID 0 with timestamp 42c333ca Nothing to do. Sleeping until we see a request. Any idea why freeradius thinks the passwords don't match? Thanks -Brent Smith
Brent Smith schrieb:
I am trying to get freeradius to authenticate chap for a ISDN backup call on a cisco. I am running version 1.0.1. I am in control of server and clients, so I know the passwords match, but the logs say they do not.
IIRC earlier 1.0.x releases have problems with MD5 (and this CHAP) an some hardware (e.g. 64-bit (like AMD-64) or big-endian (like SPARC) processors), so if you're running one of those, an update might be helpful. Search the mailing list archives for details... Also, if all is fine in that respect, your paket seems to contain CHAP-Password only, no "CHAP-Challenge". IIRC, there's a rule on how to automatically derive a CHAP-Challenge from the rest of the RADIUS paket, but I have no idea how well this is supported by server and various clients, so maybe there some problem hidden there? Regards, Stefan
On 7/1/05, Stefan.Neis@t-online.de <Stefan.Neis@t-online.de> wrote:
Brent Smith schrieb:
I am trying to get freeradius to authenticate chap for a ISDN backup call on a cisco. I am running version 1.0.1. I am in control of server and clients, so I know the passwords match, but the logs say they do not.
IIRC earlier 1.0.x releases have problems with MD5 (and this CHAP) an some hardware (e.g. 64-bit (like AMD-64) or big-endian (like SPARC) processors), so if you're running one of those, an update might be helpful. Search the mailing list archives for details...
I am not running on any of those platforms, but I upgraded to 1.0.4 with the same result.
Also, if all is fine in that respect, your paket seems to contain CHAP-Password only, no "CHAP-Challenge". IIRC, there's a rule on how to automatically derive a CHAP-Challenge from the rest of the RADIUS paket, but I have no idea how well this is supported by server and various clients, so maybe there some problem hidden there?
Regards, Stefan
There has to be other users out there who are using chap with Ciscos. Anyone?
participants (2)
-
Brent Smith -
Stefan.Neis@t-online.de