I am trying to migrate from a working Freeradius 1.1.3 installation to a 2.1.x (currently trying .4) and I'm hitting problem getting CHAP authentication to work. I use the users file to authenticate DSL users via a Cisco LNS device - chap doesn't think it's getting the password from the users file in plaintext.
My users file entry looks like this: # saf1...@lumisondsl2.co.uk ADSL: saf1975 Cleartext-Password = "mypassword", NAS-IP-Address = 193.29.223.253 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 84.19.252.194, Framed-IP-Netmask = 255.255.255.255, Cisco-AVPair = "ip:dns-servers=212.20.226.130 212.20.226.194", Cisco-AVPair += "ip:route#1=84.19.253.96 255.255.255.224 84.19.252.194", Cisco-AVPair += "ip:route#2=84.19.255.64 255.255.255.224 84.19.252.194", Cisco-AVPair += "ip:route#3=217.30.117.96 255.255.255.248 84.19.252.194" As I'm dealing with multiple domains, I strip out the domain names coming in from the LNS in proxy.conf. Can anyone explain why CHAP isn't getting a plaintext password and what I need to do to resolve? It appears to come through plaintext to the other 1.1.3 server... Debug output:- Ready to process requests. rad_recv: Access-Request packet from host 193.29.223.253 port 1645, id=8, length=123 Framed-Protocol = PPP User-Name = "saf1...@lumisondsl2.co.uk" CHAP-Password = 0x015912a2d9f792df9c9b61107520a7967d NAS-Port-Type = Virtual NAS-Port = 2208 NAS-Port-Id = "Uniq-Sess-ID2208" Connect-Info = "1696000" Service-Type = Framed-User NAS-IP-Address = 193.29.223.253 +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop [suffix] Looking up realm "lumisondsl2.co.uk" for User-Name = "saf1...@lumisondsl2.co.uk" [suffix] Found realm "DEFAULT" [suffix] Adding Stripped-User-Name = "saf1975" [suffix] Adding Realm = "DEFAULT" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' Invalid operator for item Group: reverting to '==' [files] users: Matched entry DEFAULT at line 22474 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = CHAP +- entering group CHAP {...} [chap] login attempt by "saf1975" with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid Failed to authenticate the user. Login incorrect (rlm_chap: Clear text password not available): [saf1...@lumisondsl2.co.uk/<CHAP-Password>] (from client dsl-gw port 2208) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> saf1...@lumisondsl2.co.uk attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 4 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 4 Sending Access-Reject of id 8 to 193.29.223.253 port 1645 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html