CHAP authentication issue
I am trying to migrate from a working Freeradius 1.1.3 installation to a 2.1.x (currently trying .4) and I'm hitting problem getting CHAP authentication to work. I use the users file to authenticate DSL users via a Cisco LNS device - chap doesn't think it's getting the password from the users file in plaintext. My users file entry looks like this: # saf1975@lumisondsl2.co.uk ADSL: saf1975 Cleartext-Password = "mypassword", NAS-IP-Address = 193.29.223.253 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 84.19.252.194, Framed-IP-Netmask = 255.255.255.255, Cisco-AVPair = "ip:dns-servers=212.20.226.130 212.20.226.194", Cisco-AVPair += "ip:route#1=84.19.253.96 255.255.255.224 84.19.252.194", Cisco-AVPair += "ip:route#2=84.19.255.64 255.255.255.224 84.19.252.194", Cisco-AVPair += "ip:route#3=217.30.117.96 255.255.255.248 84.19.252.194" As I'm dealing with multiple domains, I strip out the domain names coming in from the LNS in proxy.conf. Can anyone explain why CHAP isn't getting a plaintext password and what I need to do to resolve? It appears to come through plaintext to the other 1.1.3 server... Debug output:- Ready to process requests. rad_recv: Access-Request packet from host 193.29.223.253 port 1645, id=8, length=123 Framed-Protocol = PPP User-Name = "saf1975@lumisondsl2.co.uk" CHAP-Password = 0x015912a2d9f792df9c9b61107520a7967d NAS-Port-Type = Virtual NAS-Port = 2208 NAS-Port-Id = "Uniq-Sess-ID2208" Connect-Info = "1696000" Service-Type = Framed-User NAS-IP-Address = 193.29.223.253 +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop [suffix] Looking up realm "lumisondsl2.co.uk" for User-Name = "saf1975@lumisondsl2.co.uk" [suffix] Found realm "DEFAULT" [suffix] Adding Stripped-User-Name = "saf1975" [suffix] Adding Realm = "DEFAULT" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' [files] users: Matched entry DEFAULT at line 22474 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = CHAP +- entering group CHAP {...} [chap] login attempt by "saf1975" with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid Failed to authenticate the user. Login incorrect (rlm_chap: Clear text password not available): [saf1975@lumisondsl2.co.uk/<CHAP-Password>] (from client dsl-gw port 2208) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> saf1975@lumisondsl2.co.uk attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 4 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 4 Sending Access-Reject of id 8 to 193.29.223.253 port 1645
Alan Cooper wrote:
I am trying to migrate from a working Freeradius 1.1.3 installation to a 2.1.x (currently trying .4) and I'm hitting problem getting CHAP authentication to work. I use the users file to authenticate DSL users via a Cisco LNS device - chap doesn't think it's getting the password from the users file in plaintext.
My users file entry looks like this:
# saf1975@lumisondsl2.co.uk ADSL: saf1975 Cleartext-Password = "mypassword", NAS-IP-Address = 193.29.223.253
Use Cleartext-Password := Alan DeKok.
On Fri, Mar 20, 2009 at 6:57 PM, Alan DeKok <aland@deployingradius.com> wrote:
My users file entry looks like this:
# saf1975@lumisondsl2.co.uk ADSL: saf1975 Cleartext-Password = "mypassword", NAS-IP-Address = 193.29.223.253
Use Cleartext-Password :=
Many thanks Alan - I will try this over the weekend. Can you indulge my curiousity and point out (or point me at the docs that explain) what changed? As someone who has to dip in now & again to keep a RADIUS platform operational, I'm finding the docs a bit bewildering and the differences in configs between versions difficult to locate and understand. Kind Regards, Alan
Alan Cooper wrote:
Can you indulge my curiousity and point out (or point me at the docs that explain) what changed?
User-Password is an attribute that goes into a RADIUS packet. Cleartext-Password is the "known good" password that the server has. You can use Cleartext-Password to do PAP, CHAP, or MS-CHAP authentication. But you can't really "compare" it to anything. As someone who has to dip in now & again
to keep a RADIUS platform operational, I'm finding the docs a bit bewildering and the differences in configs between versions difficult to locate and understand.
The new configs are documented a lot better than the old ones. There is little documentation saying what the differences are. Alan DeKok.
participants (2)
-
Alan Cooper -
Alan DeKok