freeradius, problem with chap ?

Piotr piotr.1234 at interia.pl
Sun Dec 4 11:49:21 CET 2011 

W dniu 2011-12-01 23:51, James J J Hooper pisze:
> On 01/12/2011 22:41, Piotr wrote:
>
>> This is debug from l2tp/ipsec connection:
>
>
>> CHAP-Password = 0x01972f0886c4e5e2f30e32053dbcf67504
>
>
>> [chap] login attempt by "tom3" with CHAP password
>> [chap] Cleartext-Password is required for authentication
>> ++[chap] returns invalid
>> Failed to authenticate the user.
>> Login incorrect (rlm_chap: Clear text password not available):
>
>
>> and here is debug from working connection for sslvpn:
>
>> User-Password = "bd8d9a"
>
>> [MOTP] expand: %{User-Password} -> bd8d9a
>
>> Exec-Program: returned: 0
>> ++[MOTP] returns ok
>> Login OK: [tom3/bd8d9a] (from client ciscoasa port 5353472 cli
>> 9.72.8.13)
>
>
> If you want FR to handle the CHAP for you:
>  > [chap] Cleartext-Password is required for authentication
>
> If FR doesn't know the correct password, you can't expect it to do CHAP.
> Change things so FR knows the password, or do plain text authn as per
> your first scenario.



I changed type of  authentication,on cisco asa, to PAP:

ASA(config)# sh run all | begin tunnel-group l2tp-ipsec ppp-attributes
tunnel-group l2tp-ipsec ppp-attributes
  authentication pap
  no authentication chap
  no authentication ms-chap-v1
  no authentication ms-chap-v2
  no authentication eap-proxy

but i don't know why i stil get on FR:

rad_recv: Access-Request packet from host 10.62.1.1 port 1025, id=85, 
length=136
         User-Name = "tom3"
         CHAP-Password = 0x01ccbbe398364421101d8b50e4cb59a46e
         NAS-Port = 6275072
         Service-Type = Framed-User
         Framed-Protocol = PPP
         CHAP-Challenge = 
0x864b681ad0fc9cbd87668f9d51a638eb9a69cda6dabbf6f2e0b7147fe8d17afc2ea401ba44cf8e7d18802e
         Tunnel-Client-Endpoint:0 = "13.176.76.66"
         NAS-IP-Address = 10.62.1.1
         NAS-Port-Type = Virtual
+- entering group authorize {...}
++[preprocess] returns ok
[pap] WARNING! No "known good" password found for the user. 
Authentication may fail because of this.
++[pap] returns noop
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "tom3", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[files] users: Matched entry DEFAULT at line 2
[files]         expand: /usr/local/bin/otp4freeradius.sh '%{User-Name}' 
'%{User-Password}' '%{reply:Secret}' '%{reply:Pin}' '%{reply:Offset}' -> 
/usr/local/bin/otp4freeradius.sh 'popo3' '' '' '' ''
[files] users: Matched entry tom3 at line 5
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. 
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = CHAP
+- entering group CHAP {...}
[chap] login attempt by "tom3" with CHAP password
[chap] Cleartext-Password is required for authentication
++[chap] returns invalid
Failed to authenticate the user.

FR try to authenticate via CHAP. I don't understand this, i'm little 
confused

thanks for an advice

kindly regards
Piotr

More information about the Freeradius-Users mailing list