Hello we use radius, with chilli hotspot for login but the password is not working:
users can not log in, from radius logs it would appear as if chilli login form for the user sends the password in some encrypted format (eap?) while Radius only wants to use it as cleartext (despite configuration "authorize{...}" section allowing other types, as it is default). The radius secret is the same in radius and chilli. What can be wrong? How to make radius understand this encrypted password? As a backup plan, how to make both radius and chilli (if any of you happen to know / if this is radius settings related) use simple PAP... Radius logs show: root@hotspot:/etc/freeradius# freeradius -X FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 14 2010 at 21:12:30 (...) ++[sql] returns ok [expiration] Checking Expiration time: '7 Sep 2012 19:00' ++[expiration] returns ok ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "?�?�??s?�B??xڧ4" [pap] Using clear text password "2i" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. expand: LOGIN ERROR -> LOGIN ERROR Login incorrect (rlm_pap: CLEAR TEXT password check failed): [ddjz/\222�?�? \207s\231\264B\030\006xڧ4] (from client localhost port 1 cli 00-16-E6-35- FB-04) LOGIN ERROR WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type Reject ( Full boring log with initialization debug is available as needed ) Why Auth-Type was found to be PAP, is it said in the RADIUS packet? Or configured wrongly in Radius or maybe in the database? Radius config (and accounts, radius groups etc) are in database in postgresql. Configuration reads: # egrep -v " *#" /etc/freeradius/clients.conf | egrep -v "^ *$" client localhost { ipaddr = 127.0.0.1 secret = testing123 require_message_authenticator = no } # egrep -v " *#" /etc/freeradius/sites-enabled/default | egrep -v "^ *$" authorize { preprocess chap mschap digest suffix eap { ok = return } files sql expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } digest unix eap } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp sql exec attr_filter.accounting_response } session { radutmp } post-auth { exec Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } Other files are at defaults (from debian stable). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html