Hello all, I'm troubleshooting a new cell modem authentication attempt. Previous cell modems from the same company work fine, but these new cell modem are having an issues authenticating via CHAP even though the username and password are correct and radcheck and ntradping work just fine. We're thinking it might have to do with the CHAP challenge length that gets sent by these new modems, or more specifically, the new radio module in them. From packet captures, the same length gets sent every time (59), but fails with the [chap] Password check failed ++[chap] returns reject every time. Successful attempts from other modems have varying length up to 50 from what I've seen. Is there a higher level of debug I can turn on to see what CHAP is failing even though the correct username and password are being supplied or is there a CHAP setting somewhere specifies maximum challenge length? I'm told these modems were successfully tested against a Juniper RADIUS server. Below is the debug output and my freeradius version. Any help would be greatly appreciated. Thanks! +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "mktest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> mktest [sql] sql_set_user escaped user --> 'mktest' rlm_sql (sql): Reserving sql socket id: 9 [sql] expand: SELECT id, UserName, chk_Attribute, password, chk_op FROM modemAuth WHERE UserName = '%{SQL-User-Name}' and status='active' ORDER BY id -> SELECT id, UserName, chk_Attribute, password, chk_op FROM modemAuth WHERE UserName = 'mktest' and status='active' ORDER BY id rlm_sql_mysql: query: SELECT id, UserName, chk_Attribute, password, chk_op FROM modemAuth WHERE UserName = 'mktest' and status='active' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, UserName, rpl_Attribute, IP, rpl_op FROM modemAuth WHERE UserName = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, rpl_Attribute, IP, rpl_op FROM modemAuth WHERE UserName = 'mktest' ORDER BY id rlm_sql_mysql: query: SELECT id, UserName, rpl_Attribute, IP, rpl_op FROM modemAuth WHERE UserName = 'mktest' ORDER BY id rlm_sql (sql): Released sql socket id: 9 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = CHAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group CHAP {...} [chap] login attempt by "mktest" with CHAP password [chap] Using clear text password "1234567" for user mktest authentication. [chap] Password check failed ++[chap] returns reject Failed to authenticate the user. Login incorrect (rlm_chap: Wrong user password): [mktest/<CHAP-Password>] (from client modemAuth port 60000 cli xxxxxxxxxxx) Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [sql] expand: %{User-Name} -> mktest [sql] sql_set_user escaped user --> 'mktest' [sql] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [sql] ... expanding second conditional [sql] expand: Chap-Password -> Chap-Password [sql] expand: INSERT into radpostauth (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW()) -> INSERT into radpostauth (id, user, pass, reply, date) values ('', 'mktest', 'Chap-Password', 'Access-Reject', NOW()) [sql] expand: /data/radius/radsqltrace.sql -> /data/radius/radsqltrace.sql rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user, pass, reply, date) values ('', 'mktest', 'Chap-Password', 'Access-Reject', NOW()) rlm_sql (sql): Reserving sql socket id: 8 rlm_sql_mysql: query: INSERT into radpostauth (id, user, pass, reply, date) values ('', 'mktest', 'Chap-Password', 'Access-Reject', NOW()) rlm_sql (sql): Released sql socket id: 8 ++[sql] returns ok [attr_filter.access_reject] expand: %{User-Name} -> mktest attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 83 to 166.185.13.111 port 1645 Waking up in 4.9 seconds. rpm -qi freeradius2 Name : freeradius2 Relocations: (not relocatable) Version : 2.1.12 Vendor: CentOS Release : 3.el5 Build Date: Wed 22 Feb 2012 08:08:30 PM UTC Install Date: Mon 19 Mar 2012 07:05:05 PM UTC Build Host: builder10.centos.org Group : System Environment/Daemons Source RPM: freeradius2-2.1.12-3.el5.src.rpm Size : 5873621 License: GPLv2+ and LGPLv2+ Signature : DSA/SHA1, Wed 22 Feb 2012 08:22:13 PM UTC, Key ID a8a447dce8562897 URL : http://www.freeradius.org/ Summary : High-performance and highly configurable free RADIUS server [root@RADIUS ~]# radtest -t chap mktest 1234567 localhost 0 testing123 Sending Access-Request of id 156 to 127.0.0.1 port 1812 User-Name = "mktest" CHAP-Password = 0x9c87f965b84313794308aa6e7dac569e08 NAS-IP-Address = 192.168.149.201 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=156, length=26 Framed-IP-Address = 10.130.0.35
GT4NE1 wrote:
We're thinking it might have to do with the CHAP challenge length that gets sent by these new modems, or more specifically, the new radio module in them. From packet captures, the same length gets sent every time (59), but fails with the
Except that the debug output you posted shows *nothing* about the Access-Request.
every time. Successful attempts from other modems have varying length up to 50 from what I've seen. Is there a higher level of debug I can turn on to see what CHAP is failing even though the correct username and password are being supplied or is there a CHAP setting somewhere specifies maximum challenge length?
FreeRADIUS has *no* limit on the CHAP-Challenge. It can handle challenges up to 253 octets, which is the maximum length of RADIUS attributes. If CHAP is failing, it's because the client is calculating the wrong CHAP-Password.
I'm told these modems were successfully tested against a Juniper RADIUS server. Below is the debug output and my freeradius version. Any help would be greatly appreciated.
There is no CHAP-Challenge in the debug output. You've helpfully deleted the entire contents of the Access-Request. For all that's holy, *WHY* do people insist on doing this? The FAQ, README, "man" page, web pages, and daily messages on this list say "post the debug output". They DON'T say "butcher the debug output, and post small pieces of it." If you want us to help you, the ask *good* questions. Asking a question about a CHAP-Challenge, and then *not* including it in the debug output is a *bad* thing to do. Alan DeKok.
Hello, My apologies. This was my poor attempt at providing enough information, but not having to censor the output as much. Here is a fully debug for a few attempts with unique information censored out. I appreciate the response. rad_recv: Access-Request packet from host xxx.xxx.xx.xxx port 1645, id=249, length=430 X-Ascend-Send-Auth = Send-Auth-CHAP CHAP-Challenge = 0x7edf2cf58afb187156d7c4ade27330a92ecf5c653aeb48e106c7f41d92636019debf8cd5eadb7851b6b7248d425390898eafbc459acba8c166 CHAP-Password = 0x00f1d4017f883771443194ba6eb2e32dbd User-Name = "mktest" Called-Station-Id = "test-called-station-id" Calling-Station-Id = "xxx-xxx-xxxx" Framed-Protocol = GPRS-PDP-Context 3GPP-IMSI = "IMSI#" 3GPP-Charging-ID = charging-id 3GPP-PDP-Type = 0 3GPP-Charging-Gateway-Address = xxx.xx.xxx.xx 3GPP-GPRS-Negotiated-QoS-profile = "99-13921F739697E874820101" 3GPP-SGSN-Address = xxx.xxx.xx.xx 3GPP-GGSN-Address = xxx.xxx.xxx.xx 3GPP-IMSI-MCC-MNC = "310410" 3GPP-GGSN-MCC-MNC = "000000" 3GPP-NSAPI = "5" 3GPP-Selection-Mode = "0" 3GPP-Charging-Characteristics = "0800" 3GPP-SGSN-MCC-MNC = "310410" 3GPP-RAT-Type = 1 3GPP-Location-Info = 0x01130014d8eb1e7d 3GPP-Attr-23 = 0x8a01 3GPP-IMEISV = "S&Q@ \txP" NAS-Port-Type = Virtual NAS-Port = 60000 NAS-Port-Id = "GGSN" Service-Type = Framed-User NAS-IP-Address = xxx.xxx.xx.xxx NAS-Identifier = "nas-identifier" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "mktest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> mktest [sql] sql_set_user escaped user --> 'mktest' rlm_sql (sql): Reserving sql socket id: 9 [sql] expand: SELECT id, UserName, chk_Attribute, password, chk_op FROM modemAuth WHERE UserName = '%{SQL-User-Name}' and status='active' ORDER BY id -> SELECT id, UserName, chk_Attribute, password, chk_op FROM modemAuth WHERE UserName = 'mktest' and status='active' ORDER BY id rlm_sql_mysql: query: SELECT id, UserName, chk_Attribute, password, chk_op FROM modemAuth WHERE UserName = 'mktest' and status='active' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, UserName, rpl_Attribute, IP, rpl_op FROM modemAuth WHERE UserName = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, rpl_Attribute, IP, rpl_op FROM modemAuth WHERE UserName = 'mktest' ORDER BY id rlm_sql_mysql: query: SELECT id, UserName, rpl_Attribute, IP, rpl_op FROM modemAuth WHERE UserName = 'mktest' ORDER BY id rlm_sql (sql): Released sql socket id: 9 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = CHAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group CHAP {...} [chap] login attempt by "mktest" with CHAP password [chap] Using clear text password "1234567" for user mktest authentication. [chap] Password check failed ++[chap] returns reject Failed to authenticate the user. Login incorrect (rlm_chap: Wrong user password): [mktest/<CHAP-Password>] (from client modemAuth port 60000 cli xxx-xxx-xxxx) Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [sql] expand: %{User-Name} -> mktest [sql] sql_set_user escaped user --> 'mktest' [sql] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [sql] ... expanding second conditional [sql] expand: Chap-Password -> Chap-Password [sql] expand: INSERT into radpostauth (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW()) -> INSERT into radpostauth (id, user, pass, reply, date) values ('', 'mktest', 'Chap-Password', 'Access-Reject', NOW()) [sql] expand: /data/radius/radsqltrace.sql -> /data/radius/radsqltrace.sql rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user, pass, reply, date) values ('', 'mktest', 'Chap-Password', 'Access-Reject', NOW()) rlm_sql (sql): Reserving sql socket id: 8 rlm_sql_mysql: query: INSERT into radpostauth (id, user, pass, reply, date) values ('', 'mktest', 'Chap-Password', 'Access-Reject', NOW()) rlm_sql (sql): Released sql socket id: 8 ++[sql] returns ok [attr_filter.access_reject] expand: %{User-Name} -> mktest attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 249 to xxx.xxx.xx.xxx port 1645 Waking up in 4.9 seconds. Cleaning up request 0 ID 249 with timestamp +104 Ready to process requests. rad_recv: Access-Request packet from host xxx.xxx.xx.xxx port 1645, id=149, length=430 X-Ascend-Send-Auth = Send-Auth-CHAP CHAP-Challenge = 0x7edf2cf58afb187156d7c4ade27330a92ecf5c653aeb48e106c7f41d92636019debf8cd5eadb7851b6b7248d425390898eafbc459acba8c166 CHAP-Password = 0x00f1d4017f883771443194ba6eb2e32dbd User-Name = "mktest" Called-Station-Id = "test-called-station-id" Calling-Station-Id = "xxx-xxx-xxxx" Framed-Protocol = GPRS-PDP-Context 3GPP-IMSI = "IMSI#" 3GPP-Charging-ID = 270564512 3GPP-PDP-Type = 0 3GPP-Charging-Gateway-Address = xxx.xx.xxx.xx 3GPP-GPRS-Negotiated-QoS-profile = "99-13921F739697E874820101" 3GPP-SGSN-Address = xxx.xxx.xx.xx 3GPP-GGSN-Address = xxx.xxx.xxx.xx 3GPP-IMSI-MCC-MNC = "310410" 3GPP-GGSN-MCC-MNC = "000000" 3GPP-NSAPI = "5" 3GPP-Selection-Mode = "0" 3GPP-Charging-Characteristics = "0800" 3GPP-SGSN-MCC-MNC = "310410" 3GPP-RAT-Type = 1 3GPP-Location-Info = 0x01130014d8eb1e7d 3GPP-Attr-23 = 0x8a01 3GPP-IMEISV = "S&Q@ \txP" NAS-Port-Type = Virtual NAS-Port = 60000 NAS-Port-Id = "GGSN" Service-Type = Framed-User NAS-IP-Address = xxx.xxx.xx.xxx NAS-Identifier = "nas-identifier" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "mktest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> mktest [sql] sql_set_user escaped user --> 'mktest' rlm_sql (sql): Reserving sql socket id: 7 [sql] expand: SELECT id, UserName, chk_Attribute, password, chk_op FROM modemAuth WHERE UserName = '%{SQL-User-Name}' and status='active' ORDER BY id -> SELECT id, UserName, chk_Attribute, password, chk_op FROM modemAuth WHERE UserName = 'mktest' and status='active' ORDER BY id rlm_sql_mysql: query: SELECT id, UserName, chk_Attribute, password, chk_op FROM modemAuth WHERE UserName = 'mktest' and status='active' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, UserName, rpl_Attribute, IP, rpl_op FROM modemAuth WHERE UserName = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, rpl_Attribute, IP, rpl_op FROM modemAuth WHERE UserName = 'mktest' ORDER BY id rlm_sql_mysql: query: SELECT id, UserName, rpl_Attribute, IP, rpl_op FROM modemAuth WHERE UserName = 'mktest' ORDER BY id rlm_sql (sql): Released sql socket id: 7 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = CHAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group CHAP {...} [chap] login attempt by "mktest" with CHAP password [chap] Using clear text password "1234567" for user mktest authentication. [chap] Password check failed ++[chap] returns reject Failed to authenticate the user. Login incorrect (rlm_chap: Wrong user password): [mktest/<CHAP-Password>] (from client modemAuth port 60000 cli xxx-xxx-xxxx) Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [sql] expand: %{User-Name} -> mktest [sql] sql_set_user escaped user --> 'mktest' [sql] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [sql] ... expanding second conditional [sql] expand: Chap-Password -> Chap-Password [sql] expand: INSERT into radpostauth (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW()) -> INSERT into radpostauth (id, user, pass, reply, date) values ('', 'mktest', 'Chap-Password', 'Access-Reject', NOW()) [sql] expand: /data/radius/radsqltrace.sql -> /data/radius/radsqltrace.sql rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user, pass, reply, date) values ('', 'mktest', 'Chap-Password', 'Access-Reject', NOW()) rlm_sql (sql): Reserving sql socket id: 6 rlm_sql_mysql: query: INSERT into radpostauth (id, user, pass, reply, date) values ('', 'mktest', 'Chap-Password', 'Access-Reject', NOW()) rlm_sql (sql): Released sql socket id: 6 ++[sql] returns ok [attr_filter.access_reject] expand: %{User-Name} -> mktest attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 149 to xxx.xxx.xx.xxx port 1645 Waking up in 4.9 seconds. Cleaning up request 1 ID 149 with timestamp +170 Ready to process requests. rad_recv: Access-Request packet from host xxx.xxx.xx.xxx port 1645, id=30, length=430 X-Ascend-Send-Auth = Send-Auth-CHAP CHAP-Challenge = 0x7edf2cf58afb187156d7c4ade27330a92ecf5c653aeb48e106c7f41d92636019debf8cd5eadb7851b6b7248d425390898eafbc459acba8c166 CHAP-Password = 0x00f1d4017f883771443194ba6eb2e32dbd User-Name = "mktest" Called-Station-Id = "test-called-station-id" Calling-Station-Id = "xxx-xxx-xxxx" Framed-Protocol = GPRS-PDP-Context 3GPP-IMSI = "IMSI#" 3GPP-Charging-ID = 270564773 3GPP-PDP-Type = 0 3GPP-Charging-Gateway-Address = xxx.xx.xxx.xx 3GPP-GPRS-Negotiated-QoS-profile = "99-13921F739697E874820101" 3GPP-SGSN-Address = xxx.xxx.xx.xx 3GPP-GGSN-Address = xxx.xxx.xxx.xx 3GPP-IMSI-MCC-MNC = "310410" 3GPP-GGSN-MCC-MNC = "000000" 3GPP-NSAPI = "5" 3GPP-Selection-Mode = "0" 3GPP-Charging-Characteristics = "0800" 3GPP-SGSN-MCC-MNC = "310410" 3GPP-RAT-Type = 1 3GPP-Location-Info = 0x01130014d8eb1e7d 3GPP-Attr-23 = 0x8a01 3GPP-IMEISV = "S&Q@ \txP" NAS-Port-Type = Virtual NAS-Port = 60000 NAS-Port-Id = "GGSN" Service-Type = Framed-User NAS-IP-Address = xxx.xxx.xx.xxx NAS-Identifier = "nas-identifier" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "mktest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> mktest [sql] sql_set_user escaped user --> 'mktest' rlm_sql (sql): Reserving sql socket id: 5 [sql] expand: SELECT id, UserName, chk_Attribute, password, chk_op FROM modemAuth WHERE UserName = '%{SQL-User-Name}' and status='active' ORDER BY id -> SELECT id, UserName, chk_Attribute, password, chk_op FROM modemAuth WHERE UserName = 'mktest' and status='active' ORDER BY id rlm_sql_mysql: query: SELECT id, UserName, chk_Attribute, password, chk_op FROM modemAuth WHERE UserName = 'mktest' and status='active' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, UserName, rpl_Attribute, IP, rpl_op FROM modemAuth WHERE UserName = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, rpl_Attribute, IP, rpl_op FROM modemAuth WHERE UserName = 'mktest' ORDER BY id rlm_sql_mysql: query: SELECT id, UserName, rpl_Attribute, IP, rpl_op FROM modemAuth WHERE UserName = 'mktest' ORDER BY id rlm_sql (sql): Released sql socket id: 5 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = CHAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group CHAP {...} [chap] login attempt by "mktest" with CHAP password [chap] Using clear text password "1234567" for user mktest authentication. [chap] Password check failed ++[chap] returns reject Failed to authenticate the user. Login incorrect (rlm_chap: Wrong user password): [mktest/<CHAP-Password>] (from client modemAuth port 60000 cli xxx-xxx-xxxx) Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [sql] expand: %{User-Name} -> mktest [sql] sql_set_user escaped user --> 'mktest' [sql] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [sql] ... expanding second conditional [sql] expand: Chap-Password -> Chap-Password [sql] expand: INSERT into radpostauth (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW()) -> INSERT into radpostauth (id, user, pass, reply, date) values ('', 'mktest', 'Chap-Password', 'Access-Reject', NOW()) [sql] expand: /data/radius/radsqltrace.sql -> /data/radius/radsqltrace.sql rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user, pass, reply, date) values ('', 'mktest', 'Chap-Password', 'Access-Reject', NOW()) rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: INSERT into radpostauth (id, user, pass, reply, date) values ('', 'mktest', 'Chap-Password', 'Access-Reject', NOW()) rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok [attr_filter.access_reject] expand: %{User-Name} -> mktest attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 30 to xxx.xxx.xx.xxx port 1645 Waking up in 4.9 seconds. Cleaning up request 2 ID 30 with timestamp +231 Ready to process requests. On Mon, Apr 16, 2012 at 11:32 PM, Alan DeKok <aland@deployingradius.com> wrote:
GT4NE1 wrote:
We're thinking it might have to do with the CHAP challenge length that gets sent by these new modems, or more specifically, the new radio module in them. From packet captures, the same length gets sent every time (59), but fails with the
Except that the debug output you posted shows *nothing* about the Access-Request.
every time. Successful attempts from other modems have varying length up to 50 from what I've seen. Is there a higher level of debug I can turn on to see what CHAP is failing even though the correct username and password are being supplied or is there a CHAP setting somewhere specifies maximum challenge length?
FreeRADIUS has *no* limit on the CHAP-Challenge. It can handle challenges up to 253 octets, which is the maximum length of RADIUS attributes.
If CHAP is failing, it's because the client is calculating the wrong CHAP-Password.
I'm told these modems were successfully tested against a Juniper RADIUS server. Below is the debug output and my freeradius version. Any help would be greatly appreciated.
There is no CHAP-Challenge in the debug output. You've helpfully deleted the entire contents of the Access-Request.
For all that's holy, *WHY* do people insist on doing this? The FAQ, README, "man" page, web pages, and daily messages on this list say "post the debug output". They DON'T say "butcher the debug output, and post small pieces of it."
If you want us to help you, the ask *good* questions. Asking a question about a CHAP-Challenge, and then *not* including it in the debug output is a *bad* thing to do.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
GT4NE1 wrote:
My apologies. This was my poor attempt at providing enough information, but not having to censor the output as much. Here is a fully debug for a few attempts with unique information censored out. I appreciate the response.
The client is broken. There is no other choice. The correct CHAP-Password is 0x006368d912a3c73c9b19b9d830529bfec5. *However*, if I truncate the CHAP-Challenge to 48 bytes: 0x7edf2cf58afb187156d7c4ade27330a92ecf5c653aeb48e106c7f41d92636019debf8cd5eadb7851b6b7248d42539089 Then FreeRADIUS calculates the CHAP-Password you have in the packet, and authenticates the user. Go back to whoever sold you the modem, and tell them that their product is broken. Tell them to fix their product. It's OK to truncate the CHAP-Challenge at 48 bytes. But if they do so, they MUST send a 48-byte CHAP-Challenge. Sending a LONGER one is stupid and wrong. If they argue, point out the above analysis. Get them to try it for themselves. If they still argue, point out all of the RADIUS RFCs with my name on them. Give them my contact information. Their product doesn't work, and cannot possibly work. The tests that the Juniper guys did were likely with CHAP-Challenges of 48 bytes or less. I doubt very much that SBR is so broken as to also truncate challenges at 48 bytes. Alan DeKok.
participants (2)
-
Alan DeKok -
GT4NE1