Chap Challenge Failing

Alan DeKok aland at deployingradius.com
Fri Apr 11 14:51:12 CEST 2014


Joseph Showalter wrote:
> I am willing to do that... But running the latest version that Debian stable gives me :)

  We're working with Debian to fix that... the FreeRADIUS package seems
to have been ignored for years.

> Anything newer requires a compile and that takes a bit of study for me.

  Go to http://wiki.freeradius.org, type "debian" into the search box.
Follow the instructions.

> Well, I am no expert here, but in this case, the SIM vendor has taken pcap files, and double checked this.

  The same people who got the CHAP calculation wrong in the first place?
 Hmm.. that doesn't make much sense.

  My next guess was that the vendor was treating the password as a hex
string, and converting it to binary before doing the password checks.
The Cleartext-Password converts to the string: mF@#s^@`DW"Qidiawi.com

  Which does look interesting, but that doesn't work, either.

> We love FR. And don't want to think thats the problem.

  It's not.

> But we are very puzzled.
> I am putting the exact same password in the SIM as you see in the users file.
> And then testing with radtest and testing with winntrad test, it seems so strange that only the SIM is failing.

  Then the SIM is wrong.

> The vendor here is an 3G handset, using a Gemalto SIM card, with a backbone of Ericsson equipment.

  <shrug>  Something there is broken.

> Shall I do a new pcap and test?
> Do you think FR 3 would make any difference? 

  Version 3 will be the same as version 2.

> I figured CHAP is around long enough there would not be any changes in newer releases?

  Yes.  But vendors will still get things wrong.

  Alan DeKok.


More information about the Freeradius-Users mailing list