CHAP-Challenge Question
Jeremiah
mis at airmail.net
Thu Mar 10 21:48:22 CET 2011
We are using freeradius 2.1.10.
We are using a Mikrotik as a nas and trying to use CHAP for hotspot
access. I have a test user setup and can use ntradping to Access-Accept
back.
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 174.57.91.24 port 1026, id=7,
length=52
User-Name = "testwifi"
CHAP-Password = 0xe89981fe6bf05bf6af662769cbb1a084f8
# Executing section authorize from file /opt/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[sql] expand: %{User-Name} -> testwifi
[sql] sql_set_user escaped user --> 'testwifi'
[sql] User found in radcheck table
++[sql] returns ok
++[mschap] returns noop
Found Auth-Type = CHAP
# Executing group from file /opt/etc/raddb/sites-enabled/default
+- entering group CHAP {...}
[chap] login attempt by "testwifi" with CHAP password
[chap] Using clear text password "testblah" for user testwifi
authentication.
[chap] chap user testwifi authenticated succesfully
++[chap] returns ok
Login OK: [testwifi] (from client mikrotik port 0)
# Executing section post-auth from file /opt/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 7 to 174.57.91.24 port 1026
Mikrotik-Rate-Limit := "256k/512k"
Session-Timeout += 120
Finished request 1.
Going to the next request
When a request comes in from the Tik , it adds a CHAP challenge and the
Chap password obviously is differejt and the request fails.
rad_recv: Access-Request packet from host 203.45.185.115 port 33303,
id=6, length=246
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "00:12:AB:36:3E:0C"
Called-Station-Id = "server1"
NAS-Port-Id = "bridge1"
User-Name = "testwifi"
MS-CHAP-Domain = "wifi.net"
NAS-Port = 2157969420
Acct-Session-Id = "80a0000c"
Framed-IP-Address = 192.168.10.246
Mikrotik-Host-IP = 192.168.10.246
CHAP-Challenge = 0xf3663a1617d0a1d2537c157ee4ef1e77
CHAP-Password = 0xedcbec473f0529359a785e47ada0e0b23e
Service-Type = Login-User
WISPr-Logoff-URL = "http://0.0.0.0/logout"
NAS-Identifier = "MikroTik"
NAS-IP-Address = 203.45.185.115
Mikrotik-Realm = "wifi.net"
# Executing section authorize from file /opt/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[sql] expand: %{User-Name} -> testwifi
[sql] sql_set_user escaped user --> 'testwifi'
[sql] User found in radcheck table
++[sql] returns ok
++[mschap] returns noop
Found Auth-Type = CHAP
# Executing group from file /opt/etc/raddb/sites-enabled/default
+- entering group CHAP {...}
[chap] login attempt by "testwifi" with CHAP password
[chap] Using clear text password "testblah" for user testwifi
authentication.
[chap] Password check failed
++[chap] returns reject
Failed to authenticate the user.
Login incorrect (rlm_chap: Wrong user password):
[testwifi/<CHAP-Password>] (from client mikrotik port 2157969420 cli
00:12:AB:36:3E:0C)
Using Post-Auth-Type Reject
# Executing group from file /opt/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> testwifi
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 22 for 1 seconds
Going to the next request
Waking up in 0.3 seconds.
What basic element am I failing to understand? If the chap challenge
string is sent in, should freeradius be able to use that with the
chap-password to accept the user?
Thanks
Jeremiah
More information about the Freeradius-Users
mailing list