Freeradius on lenny doesn't permit mschap auth

Phil Mayers p.mayers at
Fri Jan 14 15:32:12 CET 2011

On 14/01/11 12:44, David Dumortier wrote:
> Le Fri Jan 14 2011 � 12:05:36PM +0000, Phil Mayers dit :
>> On 14/01/11 10:59, David Dumortier wrote:
>>>>     You're running 2.0.4.  I suggest upgrading to 2.1.10.
>>> I'm on Debian/lenny, I will stay on lenny.
>> Sigh. So you're not willing to follow the advice people give you. Why ask?
> Mmmmh seems to be pretty offensive !

Shrug. You are entitled to your opinion. I'm not going to lose any sleep 
over it.

> In a production environement you can't make what you want.</end of
> the troll>.

We run a locally-built version of FreeRadius 2.1.10 + patches in a 
production enviroment doing millions of authentications per-day. Maybe 
it's just you that can't run what you like?

>> ...i.e. the mschap module ignores it, because it's not mschap, and no
>> other module catches it, so it can't be handled/authenticated.
>> If you want to test mschap... send an mschap request.
> So radtest can't make an mschap request ?

Yes. In 2.1.10, which you don't want to run.

Even though you are bridling at my advice, I'm going to try one last 
time to be helpful. An MS-CHAP request looks like this:

User-Name = "theuser"
MS-CHAP-Challenge = 0x<32 hex digits>
MS-CHAP2-Response = 0x<100 hex digits>

...and in all versions of FreeRadius, a request like the above can be 
put into a test file and sent with "radclient" like so:

radclient -s -f request.txt $HOST auth $SECRET

All you need to do is generate a valid mschap challenge & response pair; 
you can send the same one again and again (because in mschap the NAS 
generates and supplies the challenge, unlike EAP-MSCHAP where the radius 
server generates it).

You can generate a valid mschap challenge/response by reading the 
MS-CHAP RFCs and writing some code.

Or you can install FreeRadius 2.1.10, on another machine for example, 
and send the mschap requests from there using radtest from 2.1.10.

Or you can use a "real" NAS to send a "real" MSCHAP requests, capture it 
using FreeRadius in debug mode, then "replay" it for testing.

So, you've actually got lots of options.

More information about the Freeradius-Users mailing list