CHAP problem with PPPoE server

Paul Thornton prt at prt.org
Tue Mar 8 23:40:28 CET 2011 

Hi List,

I've got a problem which I now know isn't FreeRADIUS misbehaving but
seems to be some CHAP-related issue, but I can't see what.  With
advanced apologies for being somewhat off-topic, I'm wondering if anyone
has any ideas?

I've been building a test PPPoE server on Linux, specifically CentOS 5.5
with pppd 2.4.4 (also tried 2.4.5) and freeradius-client 1.1.6.  PPPoE
provided by rp-pppoe-3.10.

The server is FreeRADIUS 1.1.7 which I know is a bit old, but this is in
use as a production machine and authenticates a lot of PPP and
interactive login requests without any trouble so hasn't been upgraded
for a while.

In my test setup, all attempts to use CHAP or MSCHAP-v2 for
authentication fail, basically because there is no CHAP challenge or
password sent with the Access-Request.  Not unreasonably, the radius
server rejects the request:

rad_recv: Access-Request packet from host 217.65.165.176:43606, id=160,
length=54
        Service-Type = Framed-User
        Framed-Protocol = PPP
        User-Name = "paultest"
        NAS-IP-Address = 217.65.165.176
        NAS-Port = 0
...
auth: No User-Password or CHAP-Password attribute in the request
auth: Failed to validate the user.
Login incorrect: [paultest/<no User-Password attribute>] (from client
vttest02 port 0)

I've also set up a FreeBSD PPPoE server to check that this wasn't a
client-side problem; currently I'm using a Mac OS X client but it also
fails using Windows or a Cisco client.  It works OK with the FreeBSD
server - hence the statement about knowing it isn't a FreeRADIUS issue:
rad_recv: Access-Request packet from host 217.65.165.171:50582, id=224,
length=180
        User-Name = "paultest"
        Service-Type = Framed-User
        Framed-Protocol = PPP
        MS-CHAP-Challenge = 0x33323733383637393730323730333033
        MS-CHAP2-Response =
0x0100b2a9c9bdfa3458c17851fd4170fb83ad0000000000000000967b707a1f73c2fa39c936a671ed4e01beb4c9744466c88e
        NAS-IP-Address = 217.65.165.171
        NAS-Identifier = "build1"
        Calling-Station-Id = "7c:6d:62:90:36:55"
        NAS-Port-Type = Ethernet
        NAS-Port = 12
 ...
Login OK: [paultest] (from client vttest01 port 12 cli 7c:6d:62:90:36:55)

Clearly the difference is in the challenge - but I'm at a loss to
understand why this wouldn't "just work" with RADIUS.  The pppd logs
suggest that it is using CHAP, but it doesn't think that letting the
RADIUS server have the challenge is important...

Has anyone had a similar problem or can suggest anything?  I've been
going around in circles here all day and ended up going nowhere.

Many thanks,

Paul.

More information about the Freeradius-Users mailing list