Chap Challenge Failing

Joseph Showalter Tech at ekn.com
Thu Apr 10 22:38:22 CEST 2014 

# freeradius -v
freeradius: FreeRADIUS Version 2.1.12

We have a puzzling issue with CHAP Authentication:


Using radtest like this works:

radtest -d /etc/freeradius/ -t chap "6064191000 at ev.myawi.com" "6D464023735E40604457225169645C69" 127.0.0.1 1812 xxxxxx

But when a real live device request comes in, it fails:

This should be allowed but is rejected:
Using md5 hashing, we have confirmed that it is accurate:

Radius Protocol
    Code: Access-Request (1)
    Packet identifier: 0x51 (81)
    Length: 145
    Authenticator: dbad48a07b45dc16a42806283bfa3432
    [The response to this request is in frame 2]
    Attribute Value Pairs
        AVP: l=25  t=User-Name(1): 6064191000 at ev.myawi.com
            User-Name: 6064191000 at ev.myawi.com
        AVP: l=19  t=CHAP-Password(3): a7737618eb2d4f46a3945215a989923560
            CHAP-Password: a7737618eb2d4f46a3945215a989923560
                CHAP Ident: 0xa7
                CHAP String: 737618eb2d4f46a3945215a989923560
        AVP: l=6  t=NAS-IP-Address(4): 10.xxx.2.1
            NAS-IP-Address: 10.xxx.2.1 (10.xxx.2.1)
        AVP: l=18  t=CHAP-Challenge(60): 5072685c0183c07d006ff00c160671a0
            CHAP-Challenge: 5072685c0183c07d006ff00c160671a0
        AVP: l=12  t=Vendor-Specific(26) v=3rd Generation Partnership Project 2 (3GPP2)(5535)
            VSA: l=6 t=3GPP2-HRPD-Access/Terminal-Authentication-and-1x-Access-Authorization(60): 1
                3GPP2-HRPD-Access/Terminal-Authentication-and-1x-Access-Authorization: 1
        AVP: l=23  t=Vendor-Specific(26) v=3rd Generation Partnership Project 2 (3GPP2)(5535)
            VSA: l=17 t=3GPP2-AT-Hardware-Identifier(61): [unhandled integer length(15)]
        AVP: l=18  t=Message-Authenticator(80): 8ce6cfeb0d0ef6a09bd3dbbdd7495226
            Message-Authenticator: 8ce6cfeb0d0ef6a09bd3dbbdd7495226
        AVP: l=4  t=Proxy-State(33): 3834
            Proxy-State: 3834

Here is the users file we are using for testing:
6064191000 at ev.myawi.com Cleartext-Password := "6D464023735E40604457225169645C69"
		Callback-Id = "000006064191000",
		Fall-Through = Yes

Here is the debug on freeradius -X
Thu Apr 10 15:21:22 2014 : Info: Ready to process requests.
rad_recv: Access-Request packet from host 10.xx.xx.32 port 1814, id=81, length=145
	User-Name = "6064191000 at ev.myawi.com"
	CHAP-Password = 0xa7737618eb2d4f46a3945215a989923560
	NAS-IP-Address = 10.xxx.2.1
	CHAP-Challenge = 0x5072685c0183c07d006ff00c160671a0
	3GPP2-Attr-60 = 0x00000001
	3GPP2-Attr-61 = 0x010600000001020935799505892280
	Message-Authenticator = 0x8ce6cfeb0d0ef6a09bd3dbbdd7495226
	Proxy-State = 0x3834
Thu Apr 10 15:24:22 2014 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Thu Apr 10 15:24:22 2014 : Info: +- entering group authorize {...}
Thu Apr 10 15:24:22 2014 : Info: ++[preprocess] returns ok
Thu Apr 10 15:24:22 2014 : Info: ++[auth_log] returns ok
Thu Apr 10 15:24:22 2014 : Info: [chap] Setting 'Auth-Type := CHAP'
Thu Apr 10 15:24:22 2014 : Info: ++[chap] returns ok
Thu Apr 10 15:24:22 2014 : Info: [suffix] Looking up realm "ev.myawi.com" for User-Name = "6064191000 at ev.myawi.com"
Thu Apr 10 15:24:22 2014 : Info: [suffix] No such realm "ev.myawi.com"
Thu Apr 10 15:24:22 2014 : Info: ++[suffix] returns noop
Thu Apr 10 15:24:22 2014 : Info: [files] users: Matched entry 6064191000 at ev.myawi.com at line 1
Thu Apr 10 15:24:22 2014 : Info: ++[files] returns ok
Thu Apr 10 15:24:22 2014 : Info: [pap] WARNING: Auth-Type already set.  Not setting to PAP
Thu Apr 10 15:24:22 2014 : Info: ++[pap] returns noop
Thu Apr 10 15:24:22 2014 : Info: Found Auth-Type = CHAP
Thu Apr 10 15:24:22 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Thu Apr 10 15:24:22 2014 : Info: +- entering group CHAP {...}
Thu Apr 10 15:24:22 2014 : Info: [chap] login attempt by "6064191000 at ev.myawi.com" with CHAP password
Thu Apr 10 15:24:22 2014 : Info: [chap] Using clear text password "325C7727326B6176362A324754623247" for user 6064191000 at ev.myawi.com authentication.
Thu Apr 10 15:24:22 2014 : Info: [chap] Password check failed
Thu Apr 10 15:24:22 2014 : Info: ++[chap] returns reject
Thu Apr 10 15:24:22 2014 : Info: Failed to authenticate the user.
Thu Apr 10 15:24:22 2014 : Auth: Login incorrect (rlm_chap: Wrong user password): [6064191000 at ev.myawi.com/<CHAP-Password>] (from client radiusxx port 0)
Thu Apr 10 15:24:22 2014 : Info: Using Post-Auth-Type Reject


--
respectfully, Joseph | IT

More information about the Freeradius-Users mailing list