Mac-Based auth and HP chap

Wed Apr 29 18:47:09 CEST 2009

On 2009-Apr-29, at 10:26, jehan procaccia wrote:

> hello,
> I use FreeRADIUS Version 2.1.3, and I try a basic configuration from  
> my HP procurve2650 to do Mac-based radius auth.
> for this I've setup a simple users file
>
> 005004B7252E    Auth-Type := Local, Cleartext-Password :=  
> "005004B7252E"
>               Tunnel-type = VLAN,
>               Tunnel-Medium-Type = IEEE-802,
>               Tunnel-Private-Group-ID = 15
>
> First ,it isn't clear to me wether to user Cleartext-Password or  
> User-Password and == ou := , and "" or no "" around the  
> password ...!? ,
> anyway, with Cleartext-Password it works fine with radtest at least
>
> $ radtest 005004B7252E 005004B7252E 157.159.100.55 16 secret
> rad_recv: Access-Accept packet from host 157.159.100.55 port 1812,  
> id=81, length=36
>
> Now when my HP switch tries to auth my PC which has 005004B7252E as  
> MAC@ for it's eth0, apparently the HP sends a chap password
> CHAP-Password = 0x07fae6d2c08ceb00229ea664ed50056e80
> with turns radius into it's chap module and fails to Authenticate :-(
> Found Auth-Type = CHAP
> +- entering group CHAP {...}
> [chap] login attempt by "005004B7252E" with CHAP password
> [chap] Cleartext-Password is required for authentication
> ++[chap] returns invalid
> Failed to authenticate the user.
> Using Post-Auth-Type Reject
>
> I'am lost. I don't know If I have to set a chap password in "users"  
> files or anywhere else ?  (how, syntax ?)
> or if I have to tell my HP switch not to do chap (again how ?)
>
> Thanks .
>
>
> details of radius -X
>
> rad_recv: Access-Request packet from host 157.159.17.138 port 1125,  
> id=8, length=195
>       Framed-MTU = 1480
>       NAS-IP-Address = 157.159.17.138
>       NAS-Identifier = "Sw-C01"
>       User-Name = "005004B7252E"
>       Service-Type = Framed-User
>       Framed-Protocol = PPP
>       NAS-Port = 26
>       NAS-Port-Type = Ethernet
>       NAS-Port-Id = "26"
>       Called-Station-Id = "00-1c-2e-b4-f2-66"
>       Calling-Station-Id = "00-50-04-b7-25-2e"
>       Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
>       CHAP-Password = 0x07fae6d2c08ceb00229ea664ed50056e80
>       Message-Authenticator = 0x4f687fe44ece7630d3470b37598b43b8
> +- entering group authorize {...}
> ++[preprocess] returns ok
> [auth_log]      expand: /var/log/radius/radacct/%{Client-IP-Address}/ 
> auth-detail-%Y%m%d -> /var/log/radius/radacct/157.159.17.138/auth- 
> detail-20090429
> [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail- 
> %Y%m%d expands to /var/log/radius/radacct/157.159.17.138/auth- 
> detail-20090429
> [auth_log]      expand: %t -> Wed Apr 29 17:28:16 2009
> ++[auth_log] returns ok
> [chap] Setting 'Auth-Type := CHAP'
> ++[chap] returns ok
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "005004B7252E", looking up realm NULL
> [suffix] No such realm "NULL"

Uncomment and edit your proxy.conf file for the NULL realm :

...
realm NULL {
	type		= radius
	authhost	= LOCAL
	accthost	= LOCAL
	secret		= testing123
}
...

>
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[unix] returns notfound
> [files] users: Matched entry DEFAULT at line 172
> ++[files] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.   
> Authentication may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = CHAP
> +- entering group CHAP {...}
> [chap] login attempt by "005004B7252E" with CHAP password
> [chap] Cleartext-Password is required for authentication
> ++[chap] returns invalid
> Failed to authenticate the user.
> Using Post-Auth-Type Reject
> +- entering group REJECT {...}
> [attr_filter.access_reject]     expand: %{User-Name} -> 005004B7252E
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 1 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 1
> Sending Access-Reject of id 8 to 157.159.17.138 port 1125
> Waking up in 4.9 seconds.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Guy Fraser
Network Administrator
The Internet Centre
1-888-450-6787
(780)450-6787