mschap

Alan DeKok aland at deployingradius.com
Sat Feb 8 02:32:31 UTC 2025 

On Feb 7, 2025, at 8:09 PM, Alan Batie <alan at batie.org> wrote:
> The client system is configured with a static user/pw, there's an sql procedure that verifies the static user/pw then checks the mac address against the db

  OK...

> It's not getting to the sql because the mschap is failing.

  The reason the mschap module is failing is because it's unable to set "Auth-Type := mschap".  What's happening?

a) you edited the dictionaries and broken them

b) you didn't put "mschap" into the "authenticate" section

  Pick one.

  One issue here is that you're not starting with the default configuration, and then gradually making it do what you want.  Instead, the configuration is radically changed, and you're trying to debug many changes a at the sae tie,

> Which gave me the idea of putting sql first, and it passes, but mschap fails, so I tried just commenting out mschap, but then it complains that nothing is handling cleartext passwords. I'm not sure how it's working on the old system since the point of chap is to avoid *having* passwords...

  It's not efficient to make random changes and move things around just in case it works.  It's better to understand how the server works, and then configure to do what you want.
 
> (0) Received Access-Request Id 23 from 10.65.23.69:40816 to 10.67.10.137:1812 length 294
> ...
> (0)   MS-CHAP-Challenge = 0x3131366139653232316662366161376332313437343231373735346236613135
> (0)   MS-CHAP2-Response = 0x30313030363236663563643935326431373930373966376465333139303966356465323230303030303030303030303030303030326261653431646530306330366137666137376464356132313063313662623037613235363063623563333838373264

  So that's MS-CHAP attributes, that's good.

> ...
> (0) sql: Executing select query: call onw_authorize_check('<username>','<secret>','<macaddr>');
> (0) sql: User found in radcheck table
> (0) sql: Conditional check items matched, merging assignment check items
> (0) sql:   Cleartext-Password := "<secret>"
> (0) sql:   Cleartext-Password := "<secret>"
> (0) sql:   Cleartext-Password := "<secret>"

  That doesn't make sense.  Why are you adding multiple copies of the password?
> ...
> (0) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
> (0)     [mschap] = fail

  Yes... there's no "mschap" listed in the "authenticate" section.

  The default configuration has it listed there, going back to the v1.0 days.

  So mschap doesn't work, even with the sql module.

  The issue here is that you've made massive changes to the configuration, without really being clear what those changes are, or what they do.  You're then trying to debug those changes, again without having a clear understanding of what's happening, or why you're making the changes.

  The default configuration works.  Make your local "peak" virtual server look like the "default" one.  It will work.  Every change you make from the default is likely to break something.  Especially if the changes are made at random.

  Alan DeKok.

More information about the Freeradius-Users mailing list