CHAP authentication issue
Alan Cooper
ajcooper80 at googlemail.com
Fri Mar 20 18:46:03 CET 2009
I am trying to migrate from a working Freeradius 1.1.3 installation to
a 2.1.x (currently trying .4) and I'm hitting problem getting CHAP
authentication to work. I use the users file to authenticate DSL users
via a Cisco LNS device - chap doesn't think it's getting the password
from the users file in plaintext.
My users file entry looks like this:
# saf1975 at lumisondsl2.co.uk ADSL:
saf1975 Cleartext-Password = "mypassword", NAS-IP-Address = 193.29.223.253
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 84.19.252.194,
Framed-IP-Netmask = 255.255.255.255,
Cisco-AVPair = "ip:dns-servers=212.20.226.130 212.20.226.194",
Cisco-AVPair += "ip:route#1=84.19.253.96 255.255.255.224 84.19.252.194",
Cisco-AVPair += "ip:route#2=84.19.255.64 255.255.255.224 84.19.252.194",
Cisco-AVPair += "ip:route#3=217.30.117.96 255.255.255.248 84.19.252.194"
As I'm dealing with multiple domains, I strip out the domain names
coming in from the LNS in proxy.conf.
Can anyone explain why CHAP isn't getting a plaintext password and
what I need to do to resolve? It appears to come through plaintext to
the other 1.1.3 server...
Debug output:-
Ready to process requests.
rad_recv: Access-Request packet from host 193.29.223.253 port 1645,
id=8, length=123
Framed-Protocol = PPP
User-Name = "saf1975 at lumisondsl2.co.uk"
CHAP-Password = 0x015912a2d9f792df9c9b61107520a7967d
NAS-Port-Type = Virtual
NAS-Port = 2208
NAS-Port-Id = "Uniq-Sess-ID2208"
Connect-Info = "1696000"
Service-Type = Framed-User
NAS-IP-Address = 193.29.223.253
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
[suffix] Looking up realm "lumisondsl2.co.uk" for User-Name =
"saf1975 at lumisondsl2.co.uk"
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "saf1975"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
[files] users: Matched entry DEFAULT at line 22474
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = CHAP
+- entering group CHAP {...}
[chap] login attempt by "saf1975" with CHAP password
[chap] Cleartext-Password is required for authentication
++[chap] returns invalid
Failed to authenticate the user.
Login incorrect (rlm_chap: Clear text password not available):
[saf1975 at lumisondsl2.co.uk/<CHAP-Password>] (from client dsl-gw port
2208)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} ->
saf1975 at lumisondsl2.co.uk
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 4 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 4
Sending Access-Reject of id 8 to 193.29.223.253 port 1645
More information about the Freeradius-Users
mailing list