I'm trying to use radclient to test chap authentication, however it looks like the chap-password attribute is getting encrypted or something and not passed as specified. How should one do this? I'm trying to get a test working with freeradius 1.1.7 that I can use to validate a freeradius 3.2.5 installation... https://freeradius-users.freeradius.narkive.com/OdBT8CjP/ms-chap-authenticat... tshark -V for a real, accepted, request: Radius Protocol Code: Access-Request (1) Packet identifier: 0x7c (124) Length: 175 Authenticator: D9FC93F9B090BAD032E0F15793F31AE6 Attribute Value Pairs AVP: l=6 t=Service-Type(6): Framed-User(2) Service-Type: Framed-User (2) AVP: l=6 t=Framed-Protocol(7): PPP(1) Framed-Protocol: PPP (1) AVP: l=6 t=NAS-Port(5): 15832385 NAS-Port: 15832385 AVP: l=6 t=NAS-Port-Type(61): Ethernet(15) NAS-Port-Type: Ethernet (15) AVP: l=7 t=User-Name(1): CPEV2 User-Name: CPEV2 AVP: l=19 t=Calling-Station-Id(31): <macaddr> Calling-Station-Id: <macaddr> AVP: l=10 t=Called-Station-Id(30): service1 Called-Station-Id: service1 AVP: l=15 t=NAS-Port-Id(87): bridge2-10.11 NAS-Port-Id: bridge2-10.11 AVP: l=10 t=Acct-Session-Id(44): 81e19440 Acct-Session-Id: 81e19440 AVP: l=18 t=CHAP-Challenge(60): 16C474F4671ABE2E03E2F199B170E22A CHAP-Challenge: 16C474F4671ABE2E03E2F199B170E22A AVP: l=19 t=CHAP-Password(3): 015223EA79AAE8B427798EC0FA5EC35FA9 CHAP-Password: 015223EA79AAE8B427798EC0FA5EC35FA9 AVP: l=9 t=NAS-Identifier(32): knox-gw NAS-Identifier: knox-gw AVP: l=6 t=NAS-IP-Address(4): 207.55.2.20 NAS-IP-Address: 207.55.2.20 (207.55.2.20) AVP: l=18 t=Message-Authenticator(80): 4605A791CA930685357F73A2B89D6197 Message-Authenticator: 4605A791CA930685357F73A2B89D6197 From that, I craft up this input to radclient: Service-Type = Framed-User Framed-Protocol = PPP NAS-Port-Type = Ethernet NAS-Port = 15832385 User-Name = CPEv2 Calling-Station-Id = <macaddr> Called-Station-Id = service1 NAS-Port-Id = bridge2-10.11 Acct-Session-Id = 81e19440 CHAP-Challenge = 0x16C474F4671ABE2E03E2F199B170E22A CHAP-Password = 0x015223EA79AAE8B427798EC0FA5EC35FA9 NAS-Identifier = knox-gw NAS-IP-Address = 207.55.2.20 Message-Authenticator = 0x4605A791CA930685357F73A2B89D6197 However, what gets sent is: Radius Protocol Code: Access-Request (1) Packet identifier: 0xfd (253) Length: 175 Authenticator: 68FC978374D1E2D4B190667E651488E5 Attribute Value Pairs AVP: l=6 t=Service-Type(6): Framed-User(2) Service-Type: Framed-User (2) AVP: l=6 t=Framed-Protocol(7): PPP(1) Framed-Protocol: PPP (1) AVP: l=6 t=NAS-Port-Type(61): Ethernet(15) NAS-Port-Type: Ethernet (15) AVP: l=6 t=NAS-Port(5): 15832385 NAS-Port: 15832385 AVP: l=7 t=User-Name(1): CPEv2 User-Name: CPEv2 AVP: l=19 t=Calling-Station-Id(31): <macaddr> Calling-Station-Id: <macaddr> AVP: l=10 t=Called-Station-Id(30): service1 Called-Station-Id: service1 AVP: l=15 t=NAS-Port-Id(87): bridge2-10.11 NAS-Port-Id: bridge2-10.11 AVP: l=10 t=Acct-Session-Id(44): 81e19440 Acct-Session-Id: 81e19440 AVP: l=18 t=CHAP-Challenge(60): 16C474F4671ABE2E03E2F199B170E22A CHAP-Challenge: 16C474F4671ABE2E03E2F199B170E22A AVP: l=19 t=CHAP-Password(3): FDB41FBAC26B503DBA63E94B8C667E928A CHAP-Password: FDB41FBAC26B503DBA63E94B8C667E928A AVP: l=9 t=NAS-Identifier(32): knox-gw NAS-Identifier: knox-gw AVP: l=6 t=NAS-IP-Address(4): 207.55.2.20 NAS-IP-Address: 207.55.2.20 (207.55.2.20) AVP: l=18 t=Message-Authenticator(80): D07850811C046CAD43B07082152D0050 Message-Authenticator: D07850811C046CAD43B07082152D0050
On Feb 11, 2025, at 4:42 AM, Alan Batie <alan@batie.org> wrote:
I'm trying to use radclient to test chap authentication, however it looks like the chap-password attribute is getting encrypted or something and not passed as specified. How should one do this?
Just send the CHAP-Password. It should work.
I'm trying to get a test working with freeradius 1.1.7 that I can use to validate a freeradius 3.2.5 installation...
Are you using the version of radclient from 1.1.7? The one in 3.2 works for me. I can take the exact packet you gave, send it via radclient, and the server receives the exact same CHAP-Password. Alan DeKok.
On 2/11/25 6:46 AM, Alan DeKok wrote:
On Feb 11, 2025, at 4:42 AM, Alan Batie <alan@batie.org> wrote:
I'm trying to use radclient to test chap authentication, however it looks like the chap-password attribute is getting encrypted or something and not passed as specified. How should one do this?
Just send the CHAP-Password. It should work.
I'm trying to get a test working with freeradius 1.1.7 that I can use to validate a freeradius 3.2.5 installation...
Are you using the version of radclient from 1.1.7? The one in 3.2 works for me. I can take the exact packet you gave, send it via radclient, and the server receives the exact same CHAP-Password.
I was, due to some firewall issues that are getting resolved. Thanks...
participants (2)
-
Alan Batie -
Alan DeKok