CHAP problem with PPPoE server
Paul Thornton
prt at prt.org
Tue Mar 8 23:40:28 CET 2011
Hi List,
I've got a problem which I now know isn't FreeRADIUS misbehaving but
seems to be some CHAP-related issue, but I can't see what. With
advanced apologies for being somewhat off-topic, I'm wondering if anyone
has any ideas?
I've been building a test PPPoE server on Linux, specifically CentOS 5.5
with pppd 2.4.4 (also tried 2.4.5) and freeradius-client 1.1.6. PPPoE
provided by rp-pppoe-3.10.
The server is FreeRADIUS 1.1.7 which I know is a bit old, but this is in
use as a production machine and authenticates a lot of PPP and
interactive login requests without any trouble so hasn't been upgraded
for a while.
In my test setup, all attempts to use CHAP or MSCHAP-v2 for
authentication fail, basically because there is no CHAP challenge or
password sent with the Access-Request. Not unreasonably, the radius
server rejects the request:
rad_recv: Access-Request packet from host 217.65.165.176:43606, id=160,
length=54
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "paultest"
NAS-IP-Address = 217.65.165.176
NAS-Port = 0
...
auth: No User-Password or CHAP-Password attribute in the request
auth: Failed to validate the user.
Login incorrect: [paultest/<no User-Password attribute>] (from client
vttest02 port 0)
I've also set up a FreeBSD PPPoE server to check that this wasn't a
client-side problem; currently I'm using a Mac OS X client but it also
fails using Windows or a Cisco client. It works OK with the FreeBSD
server - hence the statement about knowing it isn't a FreeRADIUS issue:
rad_recv: Access-Request packet from host 217.65.165.171:50582, id=224,
length=180
User-Name = "paultest"
Service-Type = Framed-User
Framed-Protocol = PPP
MS-CHAP-Challenge = 0x33323733383637393730323730333033
MS-CHAP2-Response =
0x0100b2a9c9bdfa3458c17851fd4170fb83ad0000000000000000967b707a1f73c2fa39c936a671ed4e01beb4c9744466c88e
NAS-IP-Address = 217.65.165.171
NAS-Identifier = "build1"
Calling-Station-Id = "7c:6d:62:90:36:55"
NAS-Port-Type = Ethernet
NAS-Port = 12
...
Login OK: [paultest] (from client vttest01 port 12 cli 7c:6d:62:90:36:55)
Clearly the difference is in the challenge - but I'm at a loss to
understand why this wouldn't "just work" with RADIUS. The pppd logs
suggest that it is using CHAP, but it doesn't think that letting the
RADIUS server have the challenge is important...
Has anyone had a similar problem or can suggest anything? I've been
going around in circles here all day and ended up going nowhere.
Many thanks,
Paul.
More information about the Freeradius-Users
mailing list