CHAP Challenge

GT4NE1 gt4ne1 at gmail.com
Mon Apr 16 23:17:03 CEST 2012


Hello all,

I'm troubleshooting a new cell modem authentication attempt.  Previous
cell modems from the same company work fine, but these new cell modem
are having an issues authenticating via CHAP even though the username
and password are correct and radcheck and ntradping work just fine.

We're thinking it might have to do with the CHAP challenge length that
gets sent by these new modems, or more specifically, the new radio
module in them.  From packet captures, the same length gets sent every
time (59), but fails with the

[chap] Password check failed
++[chap] returns reject

every time.  Successful attempts from other modems have varying length
up to 50 from what I've seen.  Is there a higher level of debug I can
turn on to see what CHAP is failing even though the correct username
and password are being supplied or is there a CHAP setting somewhere
specifies maximum challenge length?

I'm told these modems were successfully tested against a Juniper
RADIUS server.  Below is the debug output and my freeradius version.
Any help would be greatly appreciated.

Thanks!

+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "mktest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] 	expand: %{User-Name} -> mktest
[sql] sql_set_user escaped user --> 'mktest'
rlm_sql (sql): Reserving sql socket id: 9
[sql] 	expand: SELECT id, UserName, chk_Attribute, password, chk_op
FROM modemAuth WHERE UserName = '%{SQL-User-Name}' and status='active'
ORDER BY id -> SELECT id, UserName, chk_Attribute, password, chk_op
FROM modemAuth WHERE UserName = 'mktest' and status='active' ORDER BY
id
rlm_sql_mysql: query:  SELECT id, UserName, chk_Attribute, password,
chk_op FROM modemAuth WHERE UserName = 'mktest' and status='active'
ORDER BY id
[sql] User found in radcheck table
[sql] 	expand: SELECT id, UserName, rpl_Attribute, IP, rpl_op FROM
modemAuth WHERE UserName = '%{SQL-User-Name}' ORDER BY id -> SELECT
id, UserName, rpl_Attribute, IP, rpl_op FROM modemAuth WHERE UserName
= 'mktest' ORDER BY id
rlm_sql_mysql: query:  SELECT id, UserName, rpl_Attribute, IP, rpl_op
FROM modemAuth WHERE UserName = 'mktest' ORDER BY id
rlm_sql (sql): Released sql socket id: 9
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = CHAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group CHAP {...}
[chap] login attempt by "mktest" with CHAP password
[chap] Using clear text password "1234567" for user mktest authentication.
[chap] Password check failed
++[chap] returns reject
Failed to authenticate the user.
Login incorrect (rlm_chap: Wrong user password):
[mktest/<CHAP-Password>] (from client modemAuth port 60000 cli
xxxxxxxxxxx)
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[sql] 	expand: %{User-Name} -> mktest
[sql] sql_set_user escaped user --> 'mktest'
[sql] WARNING: Deprecated conditional expansion ":-".  See "man
unlang" for details
[sql] 	... expanding second conditional
[sql] 	expand: Chap-Password -> Chap-Password
[sql] 	expand: INSERT into radpostauth (id, user, pass, reply, date)
values ('', '%{User-Name}', '%{User-Password:-Chap-Password}',
'%{reply:Packet-Type}', NOW()) -> INSERT into radpostauth (id, user,
pass, reply, date) values ('', 'mktest', 'Chap-Password',
'Access-Reject', NOW())
[sql] 	expand: /data/radius/radsqltrace.sql -> /data/radius/radsqltrace.sql
rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id,
user, pass, reply, date) values ('', 'mktest', 'Chap-Password',
'Access-Reject', NOW())
rlm_sql (sql): Reserving sql socket id: 8
rlm_sql_mysql: query:  INSERT into radpostauth (id, user, pass, reply,
date) values ('', 'mktest', 'Chap-Password', 'Access-Reject', NOW())
rlm_sql (sql): Released sql socket id: 8
++[sql] returns ok
[attr_filter.access_reject] 	expand: %{User-Name} -> mktest
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 83 to 166.185.13.111 port 1645
Waking up in 4.9 seconds.

rpm -qi freeradius2
Name        : freeradius2                  Relocations: (not relocatable)
Version     : 2.1.12                            Vendor: CentOS
Release     : 3.el5                         Build Date: Wed 22 Feb
2012 08:08:30 PM UTC
Install Date: Mon 19 Mar 2012 07:05:05 PM UTC      Build Host:
builder10.centos.org
Group       : System Environment/Daemons    Source RPM:
freeradius2-2.1.12-3.el5.src.rpm
Size        : 5873621                          License: GPLv2+ and LGPLv2+
Signature   : DSA/SHA1, Wed 22 Feb 2012 08:22:13 PM UTC, Key ID a8a447dce8562897
URL         : http://www.freeradius.org/
Summary     : High-performance and highly configurable free RADIUS server

[root at RADIUS ~]# radtest -t chap mktest 1234567 localhost 0 testing123
Sending Access-Request of id 156 to 127.0.0.1 port 1812
	User-Name = "mktest"
	CHAP-Password = 0x9c87f965b84313794308aa6e7dac569e08
	NAS-IP-Address = 192.168.149.201
	NAS-Port = 0
	Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=156, length=26
	Framed-IP-Address = 10.130.0.35


More information about the Freeradius-Users mailing list