Hello everybody, I am trying now for days to get a hotspot with chillispot (on dd-wrt device) and freeradius running. it set up a testuser and if I try a local radcheck on the ubuntu machine, which hosts the freeradius, everything works out fine. when I logon to the wifi, I get a right IP (from 192.168.182.0/24) from the hotspot and I am redirected to hotspotlogin.cgi, where I put in the exact same user and password as with the radtest, but login failed. I get the following debug error from freeradius: when I try it with a wrong password, I get this debug error: has anyone an idea how to disable chap authenitification or better to fix it? I would be really happy about every answer which directs me in a certain way, because the hotspot has to work this weekend and I am getting a little bit nervous ;) Cheers iro -- View this message in context: http://freeradius.1045715.n5.nabble.com/Problem-with-CHAP-Authentification-t... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Sorry everybody to bother you again, But I saw that the included debug code was missing, so here is the complete post again with the missing code. Sorry again for the inconvenience. Cheers iro ######################################################### Hello everybody, I am trying now for days to get a hotspot with chillispot (on dd-wrt device) and freeradius running. it set up a testuser and if I try a local radcheck on the ubuntu machine, which hosts the freeradius, everything works out fine. maw@maweee:~$ radtest user 123 192.168.1.2 0 testsecret Sending Access-Request of id 2 to 192.168.1.2 port 1812 User-Name = "user" User-Password = "123" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 rad_recv: Access-Accept packet from host 192.168.1.2 port 1812, id=2, length=20 when I logon to the wifi, I get a right IP (from 192.168.182.0/24) from the hotspot and I am redirected to hotspotlogin.cgi, where I put in the exact same user and password as with the radtest, but login failed. I get the following debug error from freeradius: rad_recv: Access-Request packet from host 192.168.1.1 port 32791, id=0, length=220 User-Name = "user" CHAP-Challenge = 0x6720898bb425aacf39f9c73c8fa166dc CHAP-Password = 0x0020e82de25a959fe7a132d435066ceecf NAS-IP-Address = 0.0.0.0 Service-Type = Login-User Framed-IP-Address = 192.168.182.2 Calling-Station-Id = "70-F3-95-AC-E5-70" Called-Station-Id = "98-FC-11-88-6B-94" NAS-Identifier = "GEC_HotSpot" Acct-Session-Id = "4fd6138500000000" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Message-Authenticator = 0x33f2f225ef67e3c956754c385490fcc8 WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff" Mon Jun 11 15:49:49 2012 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default Mon Jun 11 15:49:49 2012 : Info: +- entering group authorize {...} Mon Jun 11 15:49:49 2012 : Info: ++[preprocess] returns ok Mon Jun 11 15:49:49 2012 : Info: [chap] Setting 'Auth-Type := CHAP' Mon Jun 11 15:49:49 2012 : Info: ++[chap] returns ok Mon Jun 11 15:49:49 2012 : Info: ++[mschap] returns noop Mon Jun 11 15:49:49 2012 : Info: [suffix] No '@' in User-Name = "user", looking up realm NULL Mon Jun 11 15:49:49 2012 : Info: [suffix] No such realm "NULL" Mon Jun 11 15:49:49 2012 : Info: ++[suffix] returns noop Mon Jun 11 15:49:49 2012 : Info: [eap] No EAP-Message, not doing EAP Mon Jun 11 15:49:49 2012 : Info: ++[eap] returns noop Mon Jun 11 15:49:49 2012 : Info: [sql] expand: %{User-Name} -> user Mon Jun 11 15:49:49 2012 : Info: [sql] sql_set_user escaped user --> 'user' Mon Jun 11 15:49:49 2012 : Debug: rlm_sql (sql): Reserving sql socket id: 4 Mon Jun 11 15:49:49 2012 : Info: [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'user' ORDER BY id Mon Jun 11 15:49:49 2012 : Info: [sql] User found in radcheck table Mon Jun 11 15:49:49 2012 : Info: [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'user' ORDER BY id Mon Jun 11 15:49:49 2012 : Info: [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'user' ORDER BY priority Mon Jun 11 15:49:49 2012 : Debug: rlm_sql (sql): Released sql socket id: 4 Mon Jun 11 15:49:49 2012 : Info: ++[sql] returns ok Mon Jun 11 15:49:49 2012 : Info: ++[expiration] returns noop Mon Jun 11 15:49:49 2012 : Info: ++[logintime] returns noop Mon Jun 11 15:49:49 2012 : Debug: rlm_sqlcounter: Entering module authorize code Mon Jun 11 15:49:49 2012 : Debug: rlm_sqlcounter: Could not find Check item value pair Mon Jun 11 15:49:49 2012 : Info: ++[noresetcounter] returns noop Mon Jun 11 15:49:49 2012 : Debug: rlm_sqlcounter: Entering module authorize code Mon Jun 11 15:49:49 2012 : Debug: rlm_sqlcounter: Could not find Check item value pair Mon Jun 11 15:49:49 2012 : Info: ++[dailycounter] returns noop Mon Jun 11 15:49:49 2012 : Debug: rlm_sqlcounter: Entering module authorize code Mon Jun 11 15:49:49 2012 : Debug: rlm_sqlcounter: Could not find Check item value pair Mon Jun 11 15:49:49 2012 : Info: ++[monthlycounter] returns noop Mon Jun 11 15:49:49 2012 : Info: Found Auth-Type = CHAP Mon Jun 11 15:49:49 2012 : Info: # Executing group from file /etc/freeradius/sites-enabled/default Mon Jun 11 15:49:49 2012 : Info: +- entering group CHAP {...} Mon Jun 11 15:49:49 2012 : Info: [chap] login attempt by "user" with CHAP password Mon Jun 11 15:49:49 2012 : Info: [chap] Using clear text password "123" for user user authentication. Mon Jun 11 15:49:49 2012 : Info: [chap] Password check failed Mon Jun 11 15:49:49 2012 : Info: ++[chap] returns reject Mon Jun 11 15:49:49 2012 : Info: Failed to authenticate the user. Mon Jun 11 15:49:49 2012 : Auth: Login incorrect (rlm_chap: Wrong user password): [user/<CHAP-Password>] (from client GEC_HotSpot port 0 cli 70-F3-95-AC-E5-70) Mon Jun 11 15:49:49 2012 : Info: Using Post-Auth-Type Reject Mon Jun 11 15:49:49 2012 : Info: WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. Mon Jun 11 15:49:49 2012 : Info: Delaying reject of request 5 for 1 seconds Mon Jun 11 15:49:49 2012 : Debug: Going to the next request Mon Jun 11 15:49:49 2012 : Debug: Waking up in 0.9 seconds. Mon Jun 11 15:49:50 2012 : Info: Sending delayed reject for request 5 Sending Access-Reject of id 0 to 192.168.1.1 port 32791 Mon Jun 11 15:49:50 2012 : Debug: Waking up in 4.9 seconds. Mon Jun 11 15:49:55 2012 : Info: Cleaning up request 5 ID 0 with timestamp +1919 Mon Jun 11 15:49:55 2012 : Info: Ready to process requests. when I try it with a wrong password, I get this debug error: Mon Jun 11 15:49:55 2012 : Info: Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.1 port 32791, id=0, length=220 User-Name = "user" CHAP-Challenge = 0x2fefe9f3c90a15c5f1122cb6257747b4 CHAP-Password = 0x00aba77648197c77e2b2496605348969ce NAS-IP-Address = 0.0.0.0 Service-Type = Login-User Framed-IP-Address = 192.168.182.2 Calling-Station-Id = "70-F3-95-AC-E5-70" Called-Station-Id = "98-FC-11-88-6B-94" NAS-Identifier = "GEC_HotSpot" Acct-Session-Id = "4fd6138500000000" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Message-Authenticator = 0xbe97662ae44ea2f7fbb93fe77a4ff86d WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff" Mon Jun 11 15:51:18 2012 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default Mon Jun 11 15:51:18 2012 : Info: +- entering group authorize {...} Mon Jun 11 15:51:18 2012 : Info: ++[preprocess] returns ok Mon Jun 11 15:51:18 2012 : Info: [chap] Setting 'Auth-Type := CHAP' Mon Jun 11 15:51:18 2012 : Info: ++[chap] returns ok Mon Jun 11 15:51:18 2012 : Info: ++[mschap] returns noop Mon Jun 11 15:51:18 2012 : Info: [suffix] No '@' in User-Name = "user", looking up realm NULL Mon Jun 11 15:51:18 2012 : Info: [suffix] No such realm "NULL" Mon Jun 11 15:51:18 2012 : Info: ++[suffix] returns noop Mon Jun 11 15:51:18 2012 : Info: [eap] No EAP-Message, not doing EAP Mon Jun 11 15:51:18 2012 : Info: ++[eap] returns noop Mon Jun 11 15:51:18 2012 : Info: [sql] expand: %{User-Name} -> user Mon Jun 11 15:51:18 2012 : Info: [sql] sql_set_user escaped user --> 'user' Mon Jun 11 15:51:18 2012 : Debug: rlm_sql (sql): Reserving sql socket id: 3 Mon Jun 11 15:51:18 2012 : Info: [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'user' ORDER BY id Mon Jun 11 15:51:18 2012 : Info: [sql] User found in radcheck table Mon Jun 11 15:51:18 2012 : Info: [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'user' ORDER BY id Mon Jun 11 15:51:18 2012 : Info: [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'user' ORDER BY priority Mon Jun 11 15:51:18 2012 : Debug: rlm_sql (sql): Released sql socket id: 3 Mon Jun 11 15:51:18 2012 : Info: ++[sql] returns ok Mon Jun 11 15:51:18 2012 : Info: ++[expiration] returns noop Mon Jun 11 15:51:18 2012 : Info: ++[logintime] returns noop Mon Jun 11 15:51:18 2012 : Debug: rlm_sqlcounter: Entering module authorize code Mon Jun 11 15:51:18 2012 : Debug: rlm_sqlcounter: Could not find Check item value pair Mon Jun 11 15:51:18 2012 : Info: ++[noresetcounter] returns noop Mon Jun 11 15:51:18 2012 : Debug: rlm_sqlcounter: Entering module authorize code Mon Jun 11 15:51:18 2012 : Debug: rlm_sqlcounter: Could not find Check item value pair Mon Jun 11 15:51:18 2012 : Info: ++[dailycounter] returns noop Mon Jun 11 15:51:18 2012 : Debug: rlm_sqlcounter: Entering module authorize code Mon Jun 11 15:51:18 2012 : Debug: rlm_sqlcounter: Could not find Check item value pair Mon Jun 11 15:51:18 2012 : Info: ++[monthlycounter] returns noop Mon Jun 11 15:51:18 2012 : Info: Found Auth-Type = CHAP Mon Jun 11 15:51:18 2012 : Info: # Executing group from file /etc/freeradius/sites-enabled/default Mon Jun 11 15:51:18 2012 : Info: +- entering group CHAP {...} Mon Jun 11 15:51:18 2012 : Info: [chap] login attempt by "user" with CHAP password Mon Jun 11 15:51:18 2012 : Info: [chap] Using clear text password "123" for user user authentication. Mon Jun 11 15:51:18 2012 : Info: [chap] Password check failed Mon Jun 11 15:51:18 2012 : Info: ++[chap] returns reject Mon Jun 11 15:51:18 2012 : Info: Failed to authenticate the user. Mon Jun 11 15:51:18 2012 : Auth: Login incorrect (rlm_chap: Wrong user password): [user/<CHAP-Password>] (from client GEC_HotSpot port 0 cli 70-F3-95-AC-E5-70) Mon Jun 11 15:51:18 2012 : Info: Using Post-Auth-Type Reject Mon Jun 11 15:51:18 2012 : Info: WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. Mon Jun 11 15:51:18 2012 : Info: Delaying reject of request 6 for 1 seconds Mon Jun 11 15:51:18 2012 : Debug: Going to the next request Mon Jun 11 15:51:18 2012 : Debug: Waking up in 0.9 seconds. Mon Jun 11 15:51:19 2012 : Info: Sending delayed reject for request 6 Sending Access-Reject of id 0 to 192.168.1.1 port 32791 Mon Jun 11 15:51:19 2012 : Debug: Waking up in 4.9 seconds. Mon Jun 11 15:51:24 2012 : Info: Cleaning up request 6 ID 0 with timestamp +2008 Mon Jun 11 15:51:24 2012 : Info: Ready to process requests. has anyone an idea how to disable chap authenitification or better to fix it? I would be really happy about every answer which directs me in a certain way, because the hotspot has to work this weekend and I am getting a little bit nervous ;) Cheers iro
irosAurus wrote:
it set up a testuser and if I try a local radcheck on the ubuntu machine, which hosts the freeradius, everything works out fine.
maw@maweee:~$ radtest user 123 192.168.1.2 0 testsecret Sending Access-Request of id 2 to 192.168.1.2 port 1812 User-Name = "user" User-Password = "123"
You do realize that's not doing CHAP, right? See "radtest -h" for instructions on how to do CHAP authentication with radtest.
when I logon to the wifi, I get a right IP (from 192.168.182.0/24) from the hotspot and I am redirected to hotspotlogin.cgi, where I put in the exact same user and password as with the radtest, but login failed. ... Mon Jun 11 15:49:49 2012 : Info: [chap] Using clear text password "123" for user user authentication. Mon Jun 11 15:49:49 2012 : Info: [chap] Password check failed
The hostspot device is NOT calculating the correct CHAP-Password. Go fix it. When you have chap working with radtest, this will prove that the problem is the hotspot. Alan DeKok.
irosaurus wrote:
Hello everybody,
Please subscribe to the list. You're posting from nabble. I'm inclined to ban nabble for a number of reasons.
I get the following debug error from freeradius:
when I try it with a wrong password, I get this debug error:
has anyone an idea how to disable chap authenitification or better to fix it?
Either (a) you didn't include the error messages, or (b) nabble stripped them. Please subscribe to the list.
I would be really happy about every answer which directs me in a certain way, because the hotspot has to work this weekend and I am getting a little bit nervous ;)
It's trivial to get CHAP working. Set a password as per examples in the FAQ. CHAP will work. If CHAP doesn't work, then (a) you broke CHAP by editing the configuration files, or (b) the password in your DB is incompatible with CHAP. In case of (a), use the default configuration. In case of (b), change passwords to clear-text, or don't use CHAP. Alan DeKok.
Hello Alan, Alan wrote:
Please subscribe to the list. You're posting from nabble. I'm inclined to ban nabble for a number of reasons. Either (a) you didn't include the error messages, or (b) nabble stripped them. Please subscribe to the list
thanks for your fast reply! I am already subscribed. Saw that the code was missing (must be nabble) so I sent another mail to the list with the complete debuglog.
It's trivial to get CHAP working. Set a password as per examples in the FAQ. CHAP will work. If CHAP doesn't work, then (a) you broke CHAP by editing the configuration files, or (b) the password in your DB is incompatible with CHAP. In case of (a), use the default configuration. In case of (b), change passwords to clear-text, or don't use CHAP.
First I tried without an SQL-DB and added an user to the users file. That didn't work, so I just uncommented the user "steve" in the users file with the Cleartype-Password. That did not work either. It works local through radtest, but not for the interaction with the hotspot. So I added the database, and put in a new user called "user" and password "123". I can, again, do a local radtest, but it does not work with the hotspot authentication. Is there any way to disable CHAP and give it a try with another auth method? I am not sure where to change this and I am a bit confused about the different conf files and the sites-enabled/default file. Cheers iro
irosAurus wrote:
Is there any way to disable CHAP and give it a try with another auth method?
Configure the hotspot to use another authentication method. The server has NO CONTROL over this.
I am not sure where to change this and I am a bit confused about the different conf files and the sites-enabled/default file.
Ignore most of the configuration files. Edit only what you need to edit. Read the comments in those files. Alan DeKok.
On 11/06/12 15:39, irosAurus wrote:
First I tried without an SQL-DB and added an user to the users file. That didn't work, so I just uncommented the user "steve" in the users file with the Cleartype-Password. That did not work either. It works local through radtest, but not for the interaction with the hotspot. So I added the database, and put in a new user called "user" and password "123". I can, again, do a local radtest, but it does not work with the hotspot authentication.
Logically, the hotspot is mangling the username or passwords.
Is there any way to disable CHAP and give it a try with another auth method? I am not sure where to change this and I am a bit confused about the different conf files and the sites-enabled/default file.
The authentication method (CHAP, PAP, EAP) is decided by the NAS i.e. the hotspot. FreeRADIUS doesn't decide it, and can't change it. If you want to disable CHAP, you need to do it on the NAS.
Hi,
Is there any way to disable CHAP and give it a try with another auth method? I am not sure where to change this and I am a bit confused about the different conf files and the sites-enabled/default file.
NAS config - if its sending CHAP then theres nothing you can do at the RADIUS end to 'fix it up' - look at your hotspot config to see what you can change/adjust a that end (and check your shared secret...as its CHAP there isnt a nice User-Password to give you a hint of incorrect setting...) alan
Hey all,
NAS config - if its sending CHAP then theres nothing you can do at the RADIUS end to 'fix it up' - look at your hotspot config to see what you can change/adjust a that end (and check your shared secret...as its CHAP there isnt a nice User-Password to give you a hint of incorrect setting...) alan
Thanks again for all your replys! I have never seen a mailing-list that had so many answers in such a short time :) So the good news first, it works with CHAP, local and remote! It was neither freeradius nor the AP^^ it was the chillispot cgi-script which is responsible for the client login page. I thought that the cgi-bin folder under /var/www/cgi-bin was used. Instead apache2 uses the /usr/lib/cgi-bin folder for cgi scripts. In the end it was the UAM-Secret in the hotspotlogin.cgi, which was not changed. I edited the wrong file the whole time :/ Maybe some reads this in the Nabble forum and finds this information helpful - took me 4 days to figure that little issue ;) Cheers! iro
participants (5)
-
alan buxey -
Alan DeKok -
irosaurus -
irosAurus -
Phil Mayers