CHAP-Challenge Question
We are using freeradius 2.1.10. We are using a Mikrotik as a nas and trying to use CHAP for hotspot access. I have a test user setup and can use ntradping to Access-Accept back. Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 174.57.91.24 port 1026, id=7, length=52 User-Name = "testwifi" CHAP-Password = 0xe89981fe6bf05bf6af662769cbb1a084f8 # Executing section authorize from file /opt/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop [sql] expand: %{User-Name} -> testwifi [sql] sql_set_user escaped user --> 'testwifi' [sql] User found in radcheck table ++[sql] returns ok ++[mschap] returns noop Found Auth-Type = CHAP # Executing group from file /opt/etc/raddb/sites-enabled/default +- entering group CHAP {...} [chap] login attempt by "testwifi" with CHAP password [chap] Using clear text password "testblah" for user testwifi authentication. [chap] chap user testwifi authenticated succesfully ++[chap] returns ok Login OK: [testwifi] (from client mikrotik port 0) # Executing section post-auth from file /opt/etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 7 to 174.57.91.24 port 1026 Mikrotik-Rate-Limit := "256k/512k" Session-Timeout += 120 Finished request 1. Going to the next request When a request comes in from the Tik , it adds a CHAP challenge and the Chap password obviously is differejt and the request fails. rad_recv: Access-Request packet from host 203.45.185.115 port 33303, id=6, length=246 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00:12:AB:36:3E:0C" Called-Station-Id = "server1" NAS-Port-Id = "bridge1" User-Name = "testwifi" MS-CHAP-Domain = "wifi.net" NAS-Port = 2157969420 Acct-Session-Id = "80a0000c" Framed-IP-Address = 192.168.10.246 Mikrotik-Host-IP = 192.168.10.246 CHAP-Challenge = 0xf3663a1617d0a1d2537c157ee4ef1e77 CHAP-Password = 0xedcbec473f0529359a785e47ada0e0b23e Service-Type = Login-User WISPr-Logoff-URL = "http://0.0.0.0/logout" NAS-Identifier = "MikroTik" NAS-IP-Address = 203.45.185.115 Mikrotik-Realm = "wifi.net" # Executing section authorize from file /opt/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop [sql] expand: %{User-Name} -> testwifi [sql] sql_set_user escaped user --> 'testwifi' [sql] User found in radcheck table ++[sql] returns ok ++[mschap] returns noop Found Auth-Type = CHAP # Executing group from file /opt/etc/raddb/sites-enabled/default +- entering group CHAP {...} [chap] login attempt by "testwifi" with CHAP password [chap] Using clear text password "testblah" for user testwifi authentication. [chap] Password check failed ++[chap] returns reject Failed to authenticate the user. Login incorrect (rlm_chap: Wrong user password): [testwifi/<CHAP-Password>] (from client mikrotik port 2157969420 cli 00:12:AB:36:3E:0C) Using Post-Auth-Type Reject # Executing group from file /opt/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> testwifi attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 22 for 1 seconds Going to the next request Waking up in 0.3 seconds. What basic element am I failing to understand? If the chap challenge string is sent in, should freeradius be able to use that with the chap-password to accept the user? Thanks Jeremiah
Jeremiah wrote:
When a request comes in from the Tik , it adds a CHAP challenge and the Chap password obviously is differejt and the request fails.
The CHAP-Challenge is a random number. The CHAP-Password depends on the real password, and the random number. It should *always* be different for every packet.
What basic element am I failing to understand? If the chap challenge string is sent in, should freeradius be able to use that with the chap-password to accept the user?
Yes. Unless the user entered the wrong password. Or, the NAS does the CHAP algorithm incorrectly. Alan DeKok.
participants (2)
-
Alan DeKok -
Jeremiah