Hi List, I've got a problem which I now know isn't FreeRADIUS misbehaving but seems to be some CHAP-related issue, but I can't see what. With advanced apologies for being somewhat off-topic, I'm wondering if anyone has any ideas?
I've been building a test PPPoE server on Linux, specifically CentOS 5.5 with pppd 2.4.4 (also tried 2.4.5) and freeradius-client 1.1.6. PPPoE provided by rp-pppoe-3.10. The server is FreeRADIUS 1.1.7 which I know is a bit old, but this is in use as a production machine and authenticates a lot of PPP and interactive login requests without any trouble so hasn't been upgraded for a while. In my test setup, all attempts to use CHAP or MSCHAP-v2 for authentication fail, basically because there is no CHAP challenge or password sent with the Access-Request. Not unreasonably, the radius server rejects the request: rad_recv: Access-Request packet from host 217.65.165.176:43606, id=160, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "paultest" NAS-IP-Address = 217.65.165.176 NAS-Port = 0 ... auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [paultest/<no User-Password attribute>] (from client vttest02 port 0) I've also set up a FreeBSD PPPoE server to check that this wasn't a client-side problem; currently I'm using a Mac OS X client but it also fails using Windows or a Cisco client. It works OK with the FreeBSD server - hence the statement about knowing it isn't a FreeRADIUS issue: rad_recv: Access-Request packet from host 217.65.165.171:50582, id=224, length=180 User-Name = "paultest" Service-Type = Framed-User Framed-Protocol = PPP MS-CHAP-Challenge = 0x33323733383637393730323730333033 MS-CHAP2-Response = 0x0100b2a9c9bdfa3458c17851fd4170fb83ad0000000000000000967b707a1f73c2fa39c936a671ed4e01beb4c9744466c88e NAS-IP-Address = 217.65.165.171 NAS-Identifier = "build1" Calling-Station-Id = "7c:6d:62:90:36:55" NAS-Port-Type = Ethernet NAS-Port = 12 ... Login OK: [paultest] (from client vttest01 port 12 cli 7c:6d:62:90:36:55) Clearly the difference is in the challenge - but I'm at a loss to understand why this wouldn't "just work" with RADIUS. The pppd logs suggest that it is using CHAP, but it doesn't think that letting the RADIUS server have the challenge is important... Has anyone had a similar problem or can suggest anything? I've been going around in circles here all day and ended up going nowhere. Many thanks, Paul. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html