Mac-Based auth and HP chap

jehan procaccia jehan.procaccia at it-sudparis.eu
Wed Apr 29 18:26:38 CEST 2009


hello,
I use FreeRADIUS Version 2.1.3, and I try a basic configuration from my 
HP procurve2650 to do Mac-based radius auth.
for this I've setup a simple users file

005004B7252E    Auth-Type := Local, Cleartext-Password := "005004B7252E"
                Tunnel-type = VLAN,
                Tunnel-Medium-Type = IEEE-802,
                Tunnel-Private-Group-ID = 15

First ,it isn't clear to me wether to user Cleartext-Password or 
User-Password and == ou := , and "" or no "" around the password ...!? ,
anyway, with Cleartext-Password it works fine with radtest at least

$ radtest 005004B7252E 005004B7252E 157.159.100.55 16 secret
rad_recv: Access-Accept packet from host 157.159.100.55 port 1812, 
id=81, length=36

Now when my HP switch tries to auth my PC which has 005004B7252E as MAC@ 
for it's eth0, apparently the HP sends a chap password
CHAP-Password = 0x07fae6d2c08ceb00229ea664ed50056e80
with turns radius into it's chap module and fails to Authenticate :-(
Found Auth-Type = CHAP
+- entering group CHAP {...}
[chap] login attempt by "005004B7252E" with CHAP password
[chap] Cleartext-Password is required for authentication
++[chap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject

I'am lost. I don't know If I have to set a chap password in "users" 
files or anywhere else ?  (how, syntax ?)
or if I have to tell my HP switch not to do chap (again how ?)

Thanks .


details of radius -X

rad_recv: Access-Request packet from host 157.159.17.138 port 1125, 
id=8, length=195
        Framed-MTU = 1480
        NAS-IP-Address = 157.159.17.138
        NAS-Identifier = "Sw-C01"
        User-Name = "005004B7252E"
        Service-Type = Framed-User
        Framed-Protocol = PPP
        NAS-Port = 26
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "26"
        Called-Station-Id = "00-1c-2e-b4-f2-66"
        Calling-Station-Id = "00-50-04-b7-25-2e"
        Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
        CHAP-Password = 0x07fae6d2c08ceb00229ea664ed50056e80
        Message-Authenticator = 0x4f687fe44ece7630d3470b37598b43b8
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]      expand: 
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> 
/var/log/radius/radacct/157.159.17.138/auth-detail-20090429
[auth_log] 
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands 
to /var/log/radius/radacct/157.159.17.138/auth-detail-20090429
[auth_log]      expand: %t -> Wed Apr 29 17:28:16 2009
++[auth_log] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "005004B7252E", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = CHAP
+- entering group CHAP {...}
[chap] login attempt by "005004B7252E" with CHAP password
[chap] Cleartext-Password is required for authentication
++[chap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> 005004B7252E
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 8 to 157.159.17.138 port 1125
Waking up in 4.9 seconds.




More information about the Freeradius-Users mailing list