Chap Challenge Failing
Alan DeKok
aland at deployingradius.com
Fri Apr 11 03:20:43 CEST 2014
Joseph Showalter wrote:
> # freeradius -v
> freeradius: FreeRADIUS Version 2.1.12
<sigh> I wish vendors would use a recent version.
> We have a puzzling issue with CHAP Authentication:
>
>
> Using radtest like this works:
>
> radtest -d /etc/freeradius/ -t chap "6064191000 at ev.myawi.com" "6D464023735E40604457225169645C69" 127.0.0.1 1812 xxxxxx
It uses the same library as the server. So that isn't much of a test.
> But when a real live device request comes in, it fails:
>
> This should be allowed but is rejected:
> Using md5 hashing, we have confirmed that it is accurate:
What does that mean? The CHAP algorithm requires specific steps done
in a specific order. Are you sure you did them all correctly? What
values did you use?
> Apr 10 15:24:22 2014 : Info: [chap] Using clear text password "325C7727326B6176362A324754623247" for user 6064191000 at ev.myawi.com authentication.
> Thu Apr 10 15:24:22 2014 : Info: [chap] Password check failed
That's pretty definitive.
You can believe (a) FreeRADIUS is wrong, and therefore millions of
people can't use CHAP, or (b) the vendor got it wrong, or (c) you
mis-typed the password on one or both ends.
(c) is most likely. (b) much less so. (a) is almost impossible.
I've seen vendors get basic RADIUS concepts wrong, and take years to
fix them. But FreeRADIUS works with thousands of vendors equipment, for
hundreds of millions of users, every single day. It's pretty much
impossible for it to get the CHAP calculation wrong.
I tried your packet as a test case with radclient:
# file "chap"
User-Name = "6064191000 at ev.myawi.com"
CHAP-Password = 0xa7737618eb2d4f46a3945215a989923560
CHAP-Challenge = 0x5072685c0183c07d006ff00c160671a0
$ /radclient -d ../../share/ -f chap -xx localhost auth testing123
And version 3 says (after some minor editing of output)
chap : Login attempt by "6064191000 at ev.myawi.com" with CHAP password
chap : Comparing with "known good" Cleartext-Password
"6D464023735E40604457225169645C69"
chap : chap challenge dbad48a07b45dc16a42806283bfa3432
chap : client sent b39a3d7fb573cdf16e506df74cd4cbe0
chap : we calculated a7487911f7f12c921538b4af618f6396
chap : Password is comparison failed: password is incorrect
It doesn't match. So the passwords are wrong, or the vendor doesn't
calculate the CHAP-Password correctly.
And WHY is everyone so quick to publicly blame FreeRADIUS, but then
keep the vendors name a secret? WHICH vendor is it? What equipment?
Make, model firmware? All that could be helpful.
Alan DeKok.
More information about the Freeradius-Users
mailing list