Strange behaviour of rlm_chap (freeradius 1.1.7+mysql)

Dan Searle dan at adelix.com
Thu Sep 6 11:25:38 CEST 2007


Hi,

Hello? Is there anybody out there? Can someone who knows how CHAP
works please explain to me how this could be happening?

Does a CHAP challenge time-out after a certain amount of time? Does
the rlm_chap module hold a copy of old CHAP challenge's and prevent
the same one being re-used to stop replay attacks? If so how do I
switch this off?

Anyone? Anything?

Dan...

Thursday, August 30, 2007, 3:08:16 PM, you wrote:

> Hi,

> I've been running a free radius server for a while now, but today for
> no apparent reason I'm getting a lot of intermittent authentication
> failures using the rlm_chap module.

> Here's a trace of two login's the first works fine, the second a few
> moments later fails, the username and password supplied in both cases
> are correct and exactly the same. Can anyone shed any light on this?
> I've tried rebuilding the mysql database from scratch, and recompiling
> and installing the radius server, but to no avail...

> ----------------------------------------------------------------------------------------


> rad_recv: Access-Request packet from host 81.178.20.107:1024, id=25, length=204
>         NAS-Port-Type = Wireless-802.11
>         Calling-Station-Id = "00:14:A4:87:DF:FF"
>         Called-Station-Id = "rural-ap1"
>         NAS-Port-Id = "wlan2"
>         User-Name = "dan at adelix.com"
>         NAS-Port = 2149580817
>         Acct-Session-Id = "80200011"
>         Framed-IP-Address = 10.5.50.254
>         Mikrotik-Host-IP = 10.5.50.254
>         CHAP-Challenge = 0xxxxxx[removed]
>         CHAP-Password = 0xxxxxx[removed]
>         Service-Type = Login-User
>         WISPr-Logoff-URL = "http://10.5.50.1/logout"
>         NAS-Identifier = "rural-ap1"
>         NAS-IP-Address = 10.0.0.249
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 3
>   modcall[authorize]: module "preprocess" returns ok for request 3
>   rlm_chap: Setting 'Auth-Type := CHAP'
>   modcall[authorize]: module "chap" returns ok for request 3
>     users: Matched entry DEFAULT at line 54
> radius_xlat:  '/usr/local/bin/mtauth.pl dan at adelix.com'
>   modcall[authorize]: module "files" returns ok for request 3
> radius_xlat:  'dan at adelix.com'
> rlm_sql (sql): sql_set_user escaped user --> 'dan at adelix.com'
> radius_xlat:  'SELECT id, UserName, Attribute, Value, op          
> FROM radcheck           WHERE Username = 'dan at adelix.com'           ORDER BY id'
> rlm_sql (sql): Reserving sql socket id: 0
> rlm_sql_mysql: query:  SELECT id, UserName, Attribute, Value, op   
> FROM radcheck           WHERE Username = 'dan at adelix.com'           ORDER BY id
> radius_xlat:  'SELECT
> radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
> FROM radgroupcheck,usergroup WHERE usergroup.Username =
> 'dan at adelix.com' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
> rlm_sql_mysql: query:  SELECT
> radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
> FROM radgroupcheck,usergroup WHERE usergroup.Username =
> 'dan at adelix.com' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
> radius_xlat:  'SELECT id, UserName, Attribute, Value, op          
> FROM radreply           WHERE Username = 'dan at adelix.com'           ORDER BY id'
> rlm_sql_mysql: query:  SELECT id, UserName, Attribute, Value, op   
> FROM radreply           WHERE Username = 'dan at adelix.com'           ORDER BY id
> radius_xlat:  'SELECT
> radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
> FROM radgroupreply,usergroup WHERE usergroup.Username =
> 'dan at adelix.com' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
> rlm_sql_mysql: query:  SELECT
> radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
> FROM radgroupreply,usergroup WHERE usergroup.Username =
> 'dan at adelix.com' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
> rlm_sql (sql): Released sql socket id: 0
>   modcall[authorize]: module "sql" returns ok for request 3
> modcall: leaving group authorize (returns ok) for request 3
>   rad_check_password:  Found Auth-Type CHAP
> auth: type "CHAP"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group CHAP for request 3
>   rlm_chap: login attempt by "dan at adelix.com" with CHAP password
>   rlm_chap: Using clear text password "xxxxxxx" for user dan at adelix.com authentication.
>   rlm_chap: chap user dan at adelix.com authenticated succesfully
>   modcall[authenticate]: module "chap" returns ok for request 3
> modcall: leaving group CHAP (returns ok) for request 3
> Exec-Program output: Session-Timeout=1173,
> Mikrotik-Xmit-Limit=1073222818, Mikrotik-Recv-Limit=1073515121,
> Exec-Program-Wait: value-pairs: Session-Timeout=1173,
> Mikrotik-Xmit-Limit=1073222818, Mikrotik-Recv-Limit=1073515121,
> Exec-Program: returned: 0
> Sending Access-Accept of id 25 to 81.178.20.107 port 1024
>         Session-Timeout = 1173
>         Mikrotik-Xmit-Limit = 1073222818
>         Mikrotik-Recv-Limit = 1073515121
> Finished request 3

> ----------------------------------------------------------------------------------------

> rad_recv: Access-Request packet from host 81.178.20.107:1024, id=24, length=204
>         NAS-Port-Type = Wireless-802.11
>         Calling-Station-Id = "00:14:A4:87:DF:FF"
>         Called-Station-Id = "rural-ap1"
>         NAS-Port-Id = "wlan2"
>         User-Name = "dan at adelix.com"
>         NAS-Port = 2149580816
>         Acct-Session-Id = "80200010"
>         Framed-IP-Address = 10.5.50.254
>         Mikrotik-Host-IP = 10.5.50.254
>         CHAP-Challenge = 0xxxxxx[removed]
>         CHAP-Password = 0xxxxxx[removed]
>         Service-Type = Login-User
>         WISPr-Logoff-URL = "http://10.5.50.1/logout"
>         NAS-Identifier = "rural-ap1"
>         NAS-IP-Address = 10.0.0.249
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 5
>   modcall[authorize]: module "preprocess" returns ok for request 5
>   rlm_chap: Setting 'Auth-Type := CHAP'
>   modcall[authorize]: module "chap" returns ok for request 5
>     users: Matched entry DEFAULT at line 54
> radius_xlat:  '/usr/local/bin/mtauth.pl dan at adelix.com'
>   modcall[authorize]: module "files" returns ok for request 5
> radius_xlat:  'dan at adelix.com'
> rlm_sql (sql): sql_set_user escaped user --> 'dan at adelix.com'
> radius_xlat:  'SELECT id, UserName, Attribute, Value, op          
> FROM radcheck           WHERE Username = 'dan at adelix.com'           ORDER BY id'
> rlm_sql (sql): Reserving sql socket id: 3
> rlm_sql_mysql: query:  SELECT id, UserName, Attribute, Value, op   
> FROM radcheck           WHERE Username = 'dan at adelix.com'           ORDER BY id
> radius_xlat:  'SELECT
> radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
> FROM radgroupcheck,usergroup WHERE usergroup.Username =
> 'dan at adelix.com' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
> rlm_sql_mysql: query:  SELECT
> radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
> FROM radgroupcheck,usergroup WHERE usergroup.Username =
> 'dan at adelix.com' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
> radius_xlat:  'SELECT id, UserName, Attribute, Value, op          
> FROM radreply           WHERE Username = 'dan at adelix.com'           ORDER BY id'
> rlm_sql_mysql: query:  SELECT id, UserName, Attribute, Value, op   
> FROM radreply           WHERE Username = 'dan at adelix.com'           ORDER BY id
> radius_xlat:  'SELECT
> radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
> FROM radgroupreply,usergroup WHERE usergroup.Username =
> 'dan at adelix.com' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
> rlm_sql_mysql: query:  SELECT
> radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
> FROM radgroupreply,usergroup WHERE usergroup.Username =
> 'dan at adelix.com' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
> rlm_sql (sql): Released sql socket id: 3
>   modcall[authorize]: module "sql" returns ok for request 5
> modcall: leaving group authorize (returns ok) for request 5
>   rad_check_password:  Found Auth-Type CHAP
> auth: type "CHAP"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group CHAP for request 5
>   rlm_chap: login attempt by "dan at adelix.com" with CHAP password
>   rlm_chap: Using clear text password "xxxxxxx" for user dan at adelix.com authentication.
>   rlm_chap: Password check failed
>   modcall[authenticate]: module "chap" returns reject for request 5
> modcall: leaving group CHAP (returns reject) for request 5
> auth: Failed to validate the user.


> ----------------------------------------------------------------------------------------


> --

> Dan Searle
> Adelix Ltd
> dan.searle at adelix.com web: www.adelix.com
> tel: 0845 230 9590 / fax: 0845 230 9591 / support: 0845 230 9592
> snail: The Old Post Office, Bristol Rd, Hambrook, Bristol BS16 1RY. UK.

> Adelix Ltd is a registered company in England & Wales No. 4232156
> VAT registration number 779 4232 91
> Adelix Ltd is BS EN ISO 9001:2000 Certified (No. GB 12763)

> Any views expressed in this email communication are those
> of the individual sender, except where the sender specifically states
> them to be the views of a member of Adelix Ltd.  Adelix Ltd. does not
> represent, warrant or guarantee that the integrity of this communication
> has been maintained nor that the communication is free of errors or
> interference.


> ------------------------------------------------------------------------------------
> Scanned for viruses, spam and offensive content by CensorNet MailSafe

> Professional Web & E-mail Filtering from www.censornet.com
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

> ------------------------------------------------------------------------------------
> Scanned for viruses, spam and offensive content by CensorNet MailSafe

> Professional Web & E-mail Filtering from www.censornet.com


--

Dan Searle
Adelix Ltd
dan.searle at adelix.com web: www.adelix.com
tel: 0845 230 9590 / fax: 0845 230 9591 / support: 0845 230 9592
snail: The Old Post Office, Bristol Rd, Hambrook, Bristol BS16 1RY. UK.

Adelix Ltd is a registered company in England & Wales No. 4232156
VAT registration number 779 4232 91
Adelix Ltd is BS EN ISO 9001:2000 Certified (No. GB 12763)

Any views expressed in this email communication are those
of the individual sender, except where the sender specifically states
them to be the views of a member of Adelix Ltd.  Adelix Ltd. does not
represent, warrant or guarantee that the integrity of this communication
has been maintained nor that the communication is free of errors or
interference.


------------------------------------------------------------------------------------
Scanned for viruses, spam and offensive content by CensorNet MailSafe

Professional Web & E-mail Filtering from www.censornet.com



More information about the Freeradius-Users mailing list