I'm using an SQL database of accounts for FreeRADIUS to authenticate against. I'm managing these accounts using the default Dialup Admin interface. I have created a test user – testing123 and given it a password. However, I cannot successfully authenticate the account using client request.
Here's the extended debug output of my authentication request from running the freeradius daemon with the -X flag:
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 55479, id=8, length=154
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "testing123"
MS-CHAP-Challenge = 0x1e9b290edee3b10df22ee8b48754b567
MS-CHAP2-Response = 0xf4007a9bee94e20ab1c0ebefce23984086430000000000000000b2b56ed55e97708d25e7f45fb38d87daa9c6cf433a0d0e1d
Calling-Station-Id = "MY COMPUTER IP"
NAS-IP-Address = SERVERIP
NAS-Port = 0
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
rlm_realm: No '@' in User-Name = "testing123", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
users: Matched entry DEFAULT at line 172
++[files] returns ok
expand: %{User-Name} -> testing123
rlm_sql (sql): sql_set_user escaped user --> 'testing123'
rlm_sql (sql): Reserving sql socket id: 4
expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testing123' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testing123' ORDER BY id
expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'testing123' ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type mschap
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
auth: type "MSCHAP"
+- entering group MS-CHAP
rlm_mschap: Told to do MS-CHAPv2 for testing123 with NT-Password
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
auth: Failed to validate the user.
Login incorrect: [testing123/<via Auth-Type = mschap>] (from client localhost port 0 cli 91.106.233.252)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> testing123
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 8 to 127.0.0.1 port 55479
Waking up in 4.9 seconds.
Cleaning up request 0 ID 8 with timestamp +29
Ready to process requests.
I can see problems seem to occur during the CHAP authentication stage but I can't quite understand what the problem is, given the fact that the password provided is, I am sure, correct and has been set by the Dialup Admin utility. Perhaps I am missing some additional configuration/passwords are not being saved or authenticated using the right format?
Any help is much appreciated!
Best Answer
It seems that you are using CHAP authentication. CHAP authentication can not be used with encrypted passwords.
Have a look at: http://wiki.freeradius.org/index.php/FAQ#PAP_authentication_works_but_CHAP_fails