mschap

Alan Batie alan at batie.org
Sat Feb 8 00:44:53 UTC 2025 

I'm migrating an outdated system from centos 5/freeradius 1.1.7 to 
ubuntu 24/freeradius 3.2.5; it authenticates ppp connections via mschap 
by mac address with an sql procedure call. It doesn't look like there's 
anything to configure in mschap, the old system has all the mschap stuff 
commented out by default and so does the new system, but mschap is 
failing and it looks like it's not even getting to the sql part. It 
really just needs to ignore the mschap since the only part of it getting 
used is one of a few static usernames. I can send the full debug output 
privately if need be...

It does work if you're using pap instead of chap, so the sql part works...

(0) Received Access-Request Id 176 from 10.65.23.69:47717 to 
10.67.10.137:1812 length 294
(0)   Message-Authenticator = 0xcc69da5fbbc2a69a88a5e18907ebcc29
(0)   Service-Type = Framed-User
(0)   Framed-Protocol = PPP
(0)   NAS-Port-Type = Ethernet
(0)   User-Name = "CPEv2"
(0)   Calling-Station-Id = "64:D1:54:7A:B1:F4"
(0)   Calling-Station-Id = "tarana-service"
(0)   NAS-Port-Id = "vlan2000-tarana"
(0)   Acct-Session-Id = "81f01557"
(0)   MS-CHAP-Challenge = 
0x3131366139653232316662366161376332313437343231373735346236613135
(0)   MS-CHAP2-Response = 
0x30313030363236663563643935326431373930373966376465333139303966356465323230303030303030303030303030303030326261653431646
530306330366137666137376464356132313063313662623037613235363063623563333838373264
(0)   NAS-Identifier = "admin03"
(0)   NAS-IP-Address = 207.55.16.41
(0)   NAS-Port = 15762707
(0) # Executing section authorize from file 
/etc/freeradius/3.0/sites-enabled/peak
(0)   authorize {
(0)     [preprocess] = ok
(0) auth_log: EXPAND 
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log:    --> 
/var/log/freeradius/radacct/10.65.23.69/auth-detail-20250206
(0) auth_log: 
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d 
expands to /var/log/freeradius/radacct/10.65.23.69/auth-detail-20250206
(0) auth_log: EXPAND %t
(0) auth_log:    --> Thu Feb  6 15:44:52 2025
(0)     [auth_log] = ok
(0)     [chap] = noop
(0) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
(0)     [mschap] = fail
(0)   } # authorize = fail
(0) Invalid user: [CPEv2] (from client admin01 port 15762707 cli 
64:D1:54:7A:B1:F4)
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/peak
(0)   Post-Auth-Type REJECT {
(0) sql: EXPAND .query
(0) sql:    --> .query
(0) sql: WARNING: No such configuration item .query
(0)     [sql] = noop
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> CPEv2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3989 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20250207/4bbdf3f1/attachment.bin>

More information about the Freeradius-Users mailing list