Re: freeradius, problem with chap ?

Sun, 04 Dec 2011 02:58:31 -0800 

W dniu 2011-12-01 23:51, James J J Hooper pisze:

On 01/12/2011 22:41, Piotr wrote:


This is debug from l2tp/ipsec connection:




CHAP-Password = 0x01972f0886c4e5e2f30e32053dbcf67504




[chap] login attempt by "tom3" with CHAP password
[chap] Cleartext-Password is required for authentication
++[chap] returns invalid
Failed to authenticate the user.
Login incorrect (rlm_chap: Clear text password not available):




and here is debug from working connection for sslvpn:



User-Password = "bd8d9a"



[MOTP] expand: %{User-Password} -> bd8d9a



Exec-Program: returned: 0
++[MOTP] returns ok
Login OK: [tom3/bd8d9a] (from client ciscoasa port 5353472 cli
9.72.8.13)



If you want FR to handle the CHAP for you:
 > [chap] Cleartext-Password is required for authentication

If FR doesn't know the correct password, you can't expect it to do CHAP.
Change things so FR knows the password, or do plain text authn as per
your first scenario.




I changed type of  authentication,on cisco asa, to PAP:

ASA(config)# sh run all | begin tunnel-group l2tp-ipsec ppp-attributes
tunnel-group l2tp-ipsec ppp-attributes
 authentication pap
 no authentication chap
 no authentication ms-chap-v1
 no authentication ms-chap-v2
 no authentication eap-proxy

but i don't know why i stil get on FR:
rad_recv: Access-Request packet from host 10.62.1.1 port 1025, id=85, length=136 
        User-Name = "tom3"
        CHAP-Password = 0x01ccbbe398364421101d8b50e4cb59a46e
        NAS-Port = 6275072
        Service-Type = Framed-User
        Framed-Protocol = PPP
CHAP-Challenge = 0x864b681ad0fc9cbd87668f9d51a638eb9a69cda6dabbf6f2e0b7147fe8d17afc2ea401ba44cf8e7d18802e 
        Tunnel-Client-Endpoint:0 = "13.176.76.66"
        NAS-IP-Address = 10.62.1.1
        NAS-Port-Type = Virtual
+- entering group authorize {...}
++[preprocess] returns ok
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. 
++[pap] returns noop
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "tom3", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[files] users: Matched entry DEFAULT at line 2
[files] expand: /usr/local/bin/otp4freeradius.sh '%{User-Name}' '%{User-Password}' '%{reply:Secret}' '%{reply:Pin}' '%{reply:Offset}' -> /usr/local/bin/otp4freeradius.sh 'popo3' '' '' '' '' 
[files] users: Matched entry tom3 at line 5
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. 
++[pap] returns noop
Found Auth-Type = CHAP
+- entering group CHAP {...}
[chap] login attempt by "tom3" with CHAP password
[chap] Cleartext-Password is required for authentication
++[chap] returns invalid
Failed to authenticate the user.
FR try to authenticate via CHAP. I don't understand this, i'm little confused 

thanks for an advice

kindly regards
Piotr



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to