[RADIATOR] Radiator on OSX with mschap/mschapv2 issue

fred pam fnfspam at gmail.com
Wed May 19 12:47:33 CDT 2010 

Scuze me, enter-button went AWOL. Anyway:

I've got a strange issue on a Radiator running on OSX. Using local file
authentication (the user-file contains an unencrypted password) I succeed in
using mschap but fail at mschapv2:

radpwtst -mschap -s radiator -secret 'mysecret' -noacct  -user
peaptest at local -password peaptest123 -trace 5

Reading dictionary file '/etc/radiator/dictionary'
sending Access-Request...
Packet dump:
*** Sending to 192.168.87.171 port 1645 ....

Packet length = 176
01 67 00 b0 31 32 33 34 35 36 37 38 39 30 31 32
33 34 35 36 01 16 70 65 61 70 74 65 73 74 40 68
73 6c 65 69 64 65 6e 2e 6e 6c 06 06 00 00 00 02
04 06 cb 3f 9a 01 20 0e 32 30 33 2e 36 33 2e 31
35 34 2e 31 05 06 00 00 04 d2 1e 0b 31 32 33 34
35 36 37 38 39 1f 0b 39 38 37 36 35 34 33 32 31
3d 06 00 00 00 00 1a 10 00 00 01 37 0b 0a 10 2d
b5 df 08 5d 30 41 1a 3a 00 00 01 37 01 34 01 01
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 52 e0 e1 5e 79 15 17 6d
49 cb 08 95 9d d8 c5 22 23 55 ff e9 0f c3 0f 30
Code:       Access-Request
Identifier: 103
Authentic:  1234567890123456
Attributes:
        User-Name = "peaptest at local"
        Service-Type = Framed-User
        NAS-IP-Address = 192.168.154.1
        NAS-Identifier = "192.168.154.1"
        NAS-Port = 1234
        Called-Station-Id = "123456789"
        Calling-Station-Id = "987654321"
        NAS-Port-Type = Async
        MS-CHAP-Challenge = <16>-<181><223><8>]0A
        MS-CHAP-Response =
<1><1><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><
0>R<224><225>^y<21><23>mI<203><8><149><157><216><197>"#U<255><233><15><195><15>0

Packet dump:
*** Received from 192.168.87.171 port 1645 ....

Packet length = 26
02 67 00 1a 05 7e 00 5f e8 8c ff 1a c9 06 65 f1
a3 94 84 27 06 06 00 00 00 02
Code:       Access-Accept
Identifier: 103
Authentic:  <5>~<0>_<232><140><255><26><201><6>e<241><163><148><132>'
Attributes:
        Service-Type = Framed-User
OK


radpwtst -mschapv2 -s radiator -secret 'mysecret' -noacct  -user
peaptest at local -password peaptest123 -trace 5
Reading dictionary file '/etc/radiator/dictionary'
sending Access-Request...
Packet dump:
*** Sending to 192.168.87.171 port 1645 ....

Packet length = 184
01 83 00 b8 31 32 33 34 35 36 37 38 39 30 31 32
33 34 35 36 01 16 70 65 61 70 74 65 73 74 40 68
73 6c 65 69 64 65 6e 2e 6e 6c 06 06 00 00 00 02
04 06 cb 3f 9a 01 20 0e 32 30 33 2e 36 33 2e 31
35 34 2e 31 05 06 00 00 04 d2 1e 0b 31 32 33 34
35 36 37 38 39 1f 0b 39 38 37 36 35 34 33 32 31
3d 06 00 00 00 00 1a 18 00 00 01 37 0b 12 5b 5d
7c 7d 7b 3f 2f 3e 3c 2c 60 21 32 26 26 28 1a 3a
00 00 01 37 19 34 01 00 21 40 23 24 25 5e 26 2a
28 29 5f 2b 3a 33 7c 7e 00 00 00 00 00 00 00 00
ad ce 49 86 cb 1a 36 f0 c9 83 1e ca 84 91 0d dc
f2 98 11 38 e5 f7 57 56
Code:       Access-Request
Identifier: 131
Authentic:  1234567890123456
Attributes:
    User-Name = "peaptest at local"
    Service-Type = Framed-User
    NAS-IP-Address = 192.168.154.1
    NAS-Identifier = "192.168.154.1"
    NAS-Port = 1234
    Called-Station-Id = "123456789"
    Calling-Station-Id = "987654321"
    NAS-Port-Type = Async
    MS-CHAP-Challenge = []|}{?/><,`!2&&(
    MS-CHAP2-Response =
<1><0>!@#$%^&*()_+:3|~<0><0><0><0><0><0><0><0><173><206>I<134><203><26>6<240><201><131><30><202><132><145><13><220><242><152><17>8<229><247>WV

Packet dump:
*** Received from 192.168.87.171 port 1645 ....

Packet length = 36
03 83 00 24 f9 1b 78 ea 51 db 83 08 ad 73 86 9d
1d 88 f1 1e 12 10 52 65 71 75 65 73 74 20 44 65
6e 69 65 64
Code:       Access-Reject
Identifier: 131
Authentic:  <249><27>x<234>Q<219><131><8><173>s<134><157><29><136><241><30>
Attributes:
    Reply-Message = "Request Denied"

Rejected: Request Denied

The debug shows me

Wed May 19 19:45:11 2010: DEBUG: Handling with Radius::AuthFILE: peaptest
Wed May 19 19:45:11 2010: DEBUG: Radius::AuthFILE looks for match with
peaptest [peaptest at local]
Wed May 19 19:45:11 2010: DEBUG: Radius::AuthFILE REJECT: Bad Password:
peaptest [peaptest at local]

Any takers? It really stumps me...

Regards, Fred
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20100519/8f2ceb8b/attachment.html

More information about the radiator mailing list