CHAP problem with PPPoE server

Paul Thornton prt at
Tue Mar 8 23:40:28 CET 2011

Hi List,

I've got a problem which I now know isn't FreeRADIUS misbehaving but
seems to be some CHAP-related issue, but I can't see what.  With
advanced apologies for being somewhat off-topic, I'm wondering if anyone
has any ideas?

I've been building a test PPPoE server on Linux, specifically CentOS 5.5
with pppd 2.4.4 (also tried 2.4.5) and freeradius-client 1.1.6.  PPPoE
provided by rp-pppoe-3.10.

The server is FreeRADIUS 1.1.7 which I know is a bit old, but this is in
use as a production machine and authenticates a lot of PPP and
interactive login requests without any trouble so hasn't been upgraded
for a while.

In my test setup, all attempts to use CHAP or MSCHAP-v2 for
authentication fail, basically because there is no CHAP challenge or
password sent with the Access-Request.  Not unreasonably, the radius
server rejects the request:

rad_recv: Access-Request packet from host, id=160,
        Service-Type = Framed-User
        Framed-Protocol = PPP
        User-Name = "paultest"
        NAS-IP-Address =
        NAS-Port = 0
auth: No User-Password or CHAP-Password attribute in the request
auth: Failed to validate the user.
Login incorrect: [paultest/<no User-Password attribute>] (from client
vttest02 port 0)

I've also set up a FreeBSD PPPoE server to check that this wasn't a
client-side problem; currently I'm using a Mac OS X client but it also
fails using Windows or a Cisco client.  It works OK with the FreeBSD
server - hence the statement about knowing it isn't a FreeRADIUS issue:
rad_recv: Access-Request packet from host, id=224,
        User-Name = "paultest"
        Service-Type = Framed-User
        Framed-Protocol = PPP
        MS-CHAP-Challenge = 0x33323733383637393730323730333033
        MS-CHAP2-Response =
        NAS-IP-Address =
        NAS-Identifier = "build1"
        Calling-Station-Id = "7c:6d:62:90:36:55"
        NAS-Port-Type = Ethernet
        NAS-Port = 12
Login OK: [paultest] (from client vttest01 port 12 cli 7c:6d:62:90:36:55)

Clearly the difference is in the challenge - but I'm at a loss to
understand why this wouldn't "just work" with RADIUS.  The pppd logs
suggest that it is using CHAP, but it doesn't think that letting the
RADIUS server have the challenge is important...

Has anyone had a similar problem or can suggest anything?  I've been
going around in circles here all day and ended up going nowhere.

Many thanks,


More information about the Freeradius-Users mailing list