Thanks to Alan and Stephen, I am closer to a solution. I realized the scrambled password was due to hotspotlogin.php (I need to study Chillispot more), so for now I commented out its uamsecret line, which -- although it still fails on the 123 account -- provides different output in debugging mode:
rad_recv: Access-Request packet from host 192.168.0.72 port 2116, id=0, length=209 User-Name = "123" CHAP-Challenge = 0x176af9b56c5cd047480bbaa4e88b04fd CHAP-Password = 0x00a6498cb1313e02eb187f93dc05302b50 NAS-IP-Address = 0.0.0.0 Service-Type = Login-User Framed-IP-Address = 192.168.182.3 Calling-Station-Id = "C4-17-FE-1C-5C-9D" Called-Station-Id = "00-24-A5-6F-81-0A" NAS-Identifier = "1" Acct-Session-Id = "4c892dd400000000" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Message-Authenticator = 0x5a8e0072ed810540ab6baf61b668b2bd WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff" +- entering group authorize ++[preprocess] returns ok rlm_chap: Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop rlm_realm: No '@' in User-Name = "123", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} -> 123 rlm_sql (sql): sql_set_user escaped user --> '123' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '123' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '123' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '123' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type CHAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type "CHAP" +- entering group CHAP rlm_chap: login attempt by "123" with CHAP password rlm_chap: Using clear text password "123" for user 123 authentication. rlm_chap: Password check failed ++[chap] returns reject auth: Failed to validate the user. Login incorrect (rlm_chap: Wrong user password): [123/<CHAP-Password>] (from client Subnet port 0 cli C4-17-FE-1C-5C-9D) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> 123 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 10 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 10 Sending Access-Reject of id 0 to 192.168.0.72 port 2116 Waking up in 4.9 seconds. Cleaning up request 10 ID 0 with timestamp +3707 Ready to process requests. This message is intended only for the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient, or the agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited, and you are requested to return the original message to the sender. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html