chap authenticatin fail
Hi, Sorry for my basic question though, I'm setting up chap-md5 authentication FreeRadius3 with traffic tester (Spirent). But authentication failed. [topo] tester ----- (pppoe) --- authenticator --- (radius) --- FR3 [issue] <-pppoe, lcp -> OK <------------------- challenge -------------------> response ------------------> radius rewuest <------ radius reject!!! I tried local test with "radtest -x -4 -t chap user1@yk testing! 127.0.0.1 1812 testing123", and it worked (authenticaton success). On the tester, I configured "user@yk" as ID and "testing!" as PW and "chap md5 authenticaton" as method. Then I saw chap failure as follows (summary by wireshark): Sending challenge : Challenge (NAME='R3', VALUE=0x457e20c349a6c2bd) Response challenge : Response (NAME='user1@yk', VALUE=0x9e913a644c3c15e78d31a540f5d8e90b) Sending Radius-Req : Access-Request(1) (id=58, l=77) Responding Radius-Rej : Access-Reject(3) (id=58, l=20)
From debug: Fri Nov 13 00:08:28 2015 : Debug: (0) Found Auth-Type = CHAP Fri Nov 13 00:08:28 2015 : Debug: (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default Fri Nov 13 00:08:28 2015 : Debug: (0) Auth-Type CHAP { Fri Nov 13 00:08:28 2015 : Debug: (0) modsingle[authenticate]: calling chap (rlm_chap) for request 0 Fri Nov 13 00:08:28 2015 : ERROR: (0) chap: &control:Cleartext-Password is required for authentication Fri Nov 13 00:08:28 2015 : Debug: (0) modsingle[authenticate]: returned from chap (rlm_chap) for request 0 Fri Nov 13 00:08:28 2015 : Debug: (0) [chap] = fail Fri Nov 13 00:08:28 2015 : Debug: (0) } # Auth-Type CHAP = fail Fri Nov 13 00:08:28 2015 : Debug: (0) Failed to authenticate the user Fri Nov 13 00:08:28 2015 : Auth: (0) Login incorrect (chap: &control:Cleartext-Password is required for authentication): [user1@yk] (from client R3 port 0)
Of course, I set "Cleartext-Password" Home$raddb/users too. I tried lots of combination on it, so I omit the configuraton of it. What does "ERROR: (0) chap: &control:Cleartext-Password is required for authentication" mean first of all... I made sure to configure "Cleartext-Password". I just thought if each PW between pppoe client and server is identical, that works successfully as chap authentication. Is there any parameter I should care about when configuring chap authentication? Regards, yk
On N
Sorry for my basic question though, I'm setting up chap-md5 authentication FreeRadius3 with traffic tester (Spirent).
OK...
From debug: Fri Nov 13 00:08:28 2015 : Debug: (0) Found Auth-Type = CHAP Fri Nov 13 00:08:28 2015 : Debug: (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default Fri Nov 13 00:08:28 2015 : Debug: (0) Auth-Type CHAP { Fri Nov 13 00:08:28 2015 : Debug: (0) modsingle[authenticate]: calling chap (rlm_chap) for request 0 Fri Nov 13 00:08:28 2015 : ERROR: (0) chap: &control:Cleartext-Password is required for authentication
You need to tell the server what the password is. This is in the FAQ.
Of course, I set "Cleartext-Password" Home$raddb/users too.
Well, no. If you had set it, it would work.
I tried lots of combination on it, so I omit the configuraton of it.
Don't try lots of combinations. Follow the documentation. http://freeradius.org/ Click on "documentation". Read the links. It tells you how to do simple tests. Alan DeKok.
participants (2)
-
Alan DeKok -
Yukou Katori