Chap password failing with Cisco

Brent Smith brentwsmith at gmail.com
Fri Jul 1 00:32:43 CEST 2005 

All-

I am trying to get freeradius to authenticate chap for a ISDN backup
call on a cisco. I am running version 1.0.1. I am in control of server
and clients, so I know the passwords match, but the logs say they do
not.

Router setup:
username ie_phx2 password 0 password

users file:

ie_phx2 Password == "password"
        Service-Type = Framed,
        Framed-Protocol = ppp,
        Cisco-Avpair += "multilink:max-links=6",
        Cisco-Avpair += "multilink:min-links=1",
        Cisco-Avpair += "multilink:load-threshhold=192",
        Cisco-Avpair += "lcp:interface-config=ip vrf forwarding
VPDN-1444-ISDNBackup",
        Cisco-Avpair += "lcp:interface-config=ip unnumbered loop144",
        Cisco-Avpair += "lcp:send-secret=password"

log:

rad_recv: Access-Request packet from host XX.XX.XX.XX:1645, id=0, length=91
        Framed-Protocol = PPP
        User-Name = "ie_phx2"
        CHAP-Password = 0x1906c1e965a82a39db372abde8f7455ee6
        NAS-Port = 1
        NAS-Port-Type = Virtual
        Called-Station-Id = "04082415687"
        Service-Type = Framed-User
        NAS-IP-Address = XX.XX.XX.XX
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 9
  modcall[authorize]: module "preprocess" returns ok for request 9
  rlm_chap: Setting 'Auth-Type := CHAP'
  modcall[authorize]: module "chap" returns ok for request 9
  modcall[authorize]: module "mschap" returns noop for request 9
    rlm_realm: No '@' in User-Name = "ie_phx2", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 9
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 9
    users: Matched ie_phx2 at 147
  modcall[authorize]: module "files" returns ok for request 9
modcall: group authorize returns ok for request 9
  rad_check_password:  Found Auth-Type CHAP
auth: type "CHAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 9
  rlm_chap: login attempt by "ie_phx2" with CHAP password
  rlm_chap: Using clear text password password for user ie_phx2 authentication.
  rlm_chap: Pasword check failed
  modcall[authenticate]: module "chap" returns reject for request 9
modcall: group Auth-Type returns reject for request 9
auth: Failed to validate the user.
Login incorrect (rlm_chap: Wrong user password):
[ie_phx2/<CHAP-Password>] (from client c
pe2.pop2 port 1)
Delaying request 9 for 1 seconds
Finished request 9
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 8 ID 38 with timestamp 42c333c5
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 0 to XX.XX.XX.XX:1645
        Cisco-AVPair += "multilink:max-links=6"
        Cisco-AVPair += "multilink:min-links=1"
        Cisco-AVPair += "multilink:load-threshhold=192"
        Cisco-AVPair += "lcp:interface-config=ip vrf forwarding
VPDN-1444-ISDNBackup\n ip
 unnumbered loop144"
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 9 ID 0 with timestamp 42c333ca
Nothing to do.  Sleeping until we see a request.

Any idea why freeradius thinks the passwords don't match?

Thanks

-Brent Smith

More information about the Freeradius-Users mailing list