CHAP and Cleartext-Password
Tevfik Ceydeliler
tevfik.ceydeliler at astron.yasar.com.tr
Mon Feb 23 16:52:09 CET 2015
Hi,
I am newbie about Freeradius.
I have One time Password Server as proxy.
My user comes to freeradius from GSM operator by using an APN
Freeradius uses MySQL to store username and IP Pool.When a user come,
Freeradius verifies password from OTP and assing an IP address.
Thsi what I wanan doƧ
In LAN tests, there was no problem. But when I try to test from APN to
connect my user I get some error.
Here is my user and log
#####################################
mysql> select * from radcheck where username like '%yagmurgida6%';
+-----+----------------------+------------------------------+----+-------+
| id | username | attribute | op | value |
+-----+-------------+---------------------------------------+-----+-------+
| 197 | yagmurgida6 | Cleartext-Password | := | test |
+-----+-------------+--------------------------------------+------+-------+
#####################################
rad_recv: Access-Request packet from host 172.30.80.1 port 24160,
id=115, length=388
Calling-Station-Id = "905330443893"
User-Name = "yagmurgida6"
NAS-IP-Address = 172.30.80.1
NAS-Identifier = "MTCGGSNK3"
Service-Type = Framed-User
Framed-Protocol = GPRS-PDP-Context
NAS-Port-Type = Wireless-Other
3GPP-IMSI = "286015044743893"
3GPP-IMSI-MCC-MNC = "28601"
3GPP-NSAPI = "5"
3GPP-Selection-Mode = "0"
3GPP-Charging-ID = 56032450
3GPP-GPRS-Negotiated-QoS-profile = "99-13921F7396F7FE74FAF7FE"
3GPP-Charging-Characteristics = "0800"
Called-Station-Id = "yasarapn"
3GPP-SGSN-Address = 86.108.153.10
3GPP-SGSN-MCC-MNC = "28601"
3GPP-GGSN-Address = 86.108.153.126
3GPP-GGSN-MCC-MNC = "28601"
3GPP-Negotiated-DSCP = 18
3GPP-RAT-Type = 1
3GPP-Location-Info = 0x0182f610ec77e26f
3GPP-Attr-23 = 0x8000
3GPP-IMEISV = "3541140143174615"
3GPP-PDP-Type = 0
CHAP-Challenge = 0xae4696cc70b2fa9d1628d9b59e19d7c3
CHAP-Password = 0x0245569539ebb803dbc0534c0540ea2bc8
NAS-Port = 56400
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "yagmurgida6", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] expand: %{User-Name} -> yagmurgida6
[sql] sql_set_user escaped user --> 'yagmurgida6'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER
BY id -> SELECT id, username, attribute, value, op FROM
radcheck WHERE us$
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER
BY id -> SELECT id, username, attribute, value, op FROM
radreply WHERE us$
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username =
'yagmurgida6' ORD$
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = CHAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group CHAP {...}
[chap] login attempt by "yagmurgida6" with CHAP password
[chap] Using clear text password "test" for user yagmurgida6
authentication.
[chap] Password check failed
++[chap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> yagmurgida6
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 172.30.80.1 port 24160,
id=115, length=388
Waiting to send Access-Reject to client TurkcellNasClient port 24160 -
ID: 115
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 115 to 172.30.80.1 port 24160
Waking up in 4.9 seconds.
Cleaning up request 0 ID 115 with timestamp +3231
Ready to process requests.
#################################
As I see, there is CHAP and Cleartext-Password not works together.
Because of I use OTP as proxy local password not necessary.
So to conenct successfully, what attribute I have to use?
--
<br>
<img src="http://www.yasar.com.tr/banner/yhbanner.jpg"> </img>
<br><br>
Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed and Yasar Group Companies do not accept legal responsibility for the contents. If you are not the intended recipient, please immediately notify the sender and delete it from your system.
More information about the Freeradius-Users
mailing list