CHAP Issues

Dan Goscomb Dan.Goscomb at hso.co.uk
Mon Feb 9 11:24:59 CET 2015 

Hi All

We are getting seemingly random CHAP authentication issues. These are
known good passwords configured on test routers, however we still get
the same authentication failed. Has anyone else seen such things?

A debug output for one such request is here. The password that the
module pulls out to compare against is 100% what we are using.


rad_recv: Access-Request packet from host 217.196.224.5 port 1645,
id=92, length=148
        Framed-Protocol = PPP
        User-Name = "264247.313093 at hs.hsoworld.com"
        CHAP-Password = 0x022714dafa245ec52463c2afc25ea7dbe2
        Calling-Station-Id = "BBEU17129208"
        Connect-Info = "6631000/444000"
        NAS-Port-Type = ISDN
        NAS-Port = 21378
        NAS-Port-Id = "Uniq-Sess-ID1378"
        Service-Type = Framed-User
        NAS-IP-Address = 217.196.224.5
# Executing section authorize from file /etc/raddb/sites-enabled/default
+group authorize {
[preprocess]    expand: %{User-Name} -> 264247.313093 at hs.hsoworld.com
[preprocess]    expand: %{User-Name} -> 264247.313093 at hs.hsoworld.com
[preprocess]    expand: %{User-Name} -> 264247.313093 at hs.hsoworld.com
[preprocess]    expand: %{User-Name} -> 264247.313093 at hs.hsoworld.com
[preprocess]    expand: %{User-Name} -> 264247.313093 at hs.hsoworld.com
[preprocess]    expand: %{User-Name} -> 264247.313093 at hs.hsoworld.com
[preprocess]    expand: %{User-Name} -> 264247.313093 at hs.hsoworld.com
[preprocess]    expand: %{User-Name} -> 264247.313093 at hs.hsoworld.com
[preprocess]    expand: %{User-Name} -> 264247.313093 at hs.hsoworld.com
[preprocess]    expand: %{User-Name} -> 264247.313093 at hs.hsoworld.com
[preprocess]    expand: %{User-Name} -> 264247.313093 at hs.hsoworld.com
[preprocess]    expand: %{User-Name} -> 264247.313093 at hs.hsoworld.com
[preprocess]    expand: %{User-Name} -> 264247.313093 at hs.hsoworld.com
[preprocess]    expand: %{User-Name} -> 264247.313093 at hs.hsoworld.com
[preprocess]    expand: %{User-Name} -> 264247.313093 at hs.hsoworld.com
[preprocess]    expand: %{NAS-IP-Address} -> 217.196.224.5
++[preprocess] = ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] = ok
++[mschap] = noop
[suffix] Looking up realm "hs.hsoworld.com" for User-Name =
"264247.313093 at hs.hsoworld.com"
[suffix] Found realm "hs.hsoworld.com"
[suffix] Adding Stripped-User-Name = "264247.313093"
[suffix] Adding Realm = "hs.hsoworld.com"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] No EAP-Message, not doing EAP
++[eap] = noop
++[unix] = notfound
[files] users: Matched entry DEFAULT at line 425
++[files] = ok
[sql] WARNING: Deprecated conditional expansion ":-".  See "man unlang"
for details
[sql]   expand: %{Stripped-User-Name:-%{User-Name:-none}} ->
264247.313093
[sql] sql_set_user escaped user --> '264247.313093'
rlm_sql (sql): Reserving sql socket id: 5
[sql]   expand: SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = '%{SQL-User-Name}'           ORDER
BY id -> SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = '264247.313093'           ORDER BY
id
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op           FROM
radreply           WHERE username = '%{SQL-User-Name}'           ORDER
BY id -> SELECT id, username, attribute, value, op           FROM
radreply           WHERE username = '264247.313093'           ORDER BY
id
[sql]   expand: SELECT groupname           FROM usergroup
WHERE username = '%{SQL-User-Name}'           ORDER BY priority ->
SELECT groupname           FROM usergroup           WHERE username =
'264247.313093'           ORDER BY priority
[sql]   expand: SELECT id, groupname, attribute,           Value, op
FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute,           Value, op
FROM radgroupcheck           WHERE groupname = 'hsodefault'
ORDER BY id
[sql] User found in group hsodefault
[sql]   expand: SELECT id, groupname, attribute,           value, op
FROM radgroupreply           WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute,           value, op
FROM radgroupreply           WHERE groupname = 'hsodefault'
ORDER BY id
rlm_sql (sql): Released sql socket id: 5
++[sql] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = CHAP
# Executing group from file /etc/raddb/sites-enabled/default
+group CHAP {
[chap] login attempt by "264247.313093" with CHAP password
[chap] Using clear text password "Gr03ven0r" for user 264247.313093
authentication.
[chap] Password check failed
++[chap] = reject
+} # group CHAP = reject
Failed to authenticate the user.
Login incorrect (rlm_chap: Wrong user password):
[264247.313093 at hs.hsoworld.com] (from client lns00.hex.uk port 21378 cli
BBEU17129208)
Using Post-Auth-Type REJECT
# Executing group from file /etc/raddb/sites-enabled/default
+group REJECT {
[attr_filter.access_reject]     expand: %{User-Name} ->
264247.313093 at hs.hsoworld.com
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated

_____________________________________________________________________
This e-mail and all attachments have been scanned by the hSo virus scanning service powered by Symantec and no known viruses were detected.

More information about the Freeradius-Users mailing list