I'm using an SQL database of accounts for FreeRADIUS to authenticate against. I'm managing these accounts using the default Dialup Admin interface. I have created a test user - testing123 and given it a password. However, I cannot successfully authenticate the account using client request.
Here's the extended debug output of my authentication request from running the freeradius daemon with the -X flag:
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 55479, id=8, length=154
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "testing123"
MS-CHAP-Challenge = 0x1e9b290edee3b10df22ee8b48754b567
MS-CHAP2-Response = 0xf4007a9bee94e20ab1c0ebefce23984086430000000000000000b2b56ed55e97708d25e7f45fb38d87daa9c6cf433a0d0e1d
Calling-Station-Id = "MY COMPUTER IP"
NAS-IP-Address = SERVERIP
NAS-Port = 0
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
rlm_realm: No '@' in User-Name = "testing123", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
users: Matched entry DEFAULT at line 172
++[files] returns ok
expand: %{User-Name} -> testing123
rlm_sql (sql): sql_set_user escaped user --> 'testing123'
rlm_sql (sql): Reserving sql socket id: 4
expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testing123' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testing123' ORDER BY id
expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'testing123' ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type mschap
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
auth: type "MSCHAP"
+- entering group MS-CHAP
rlm_mschap: Told to do MS-CHAPv2 for testing123 with NT-Password
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
auth: Failed to validate the user.
Login incorrect: [testing123/<via Auth-Type = mschap>] (from client localhost port 0 cli 91.106.233.252)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> testing123
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 8 to 127.0.0.1 port 55479
Waking up in 4.9 seconds.
Cleaning up request 0 ID 8 with timestamp +29
Ready to process requests.
I can see problems seem to occur during the CHAP authentication stage but I can't quite understand what the problem is, given the fact that the password provided is, I am sure, correct and has been set by the Dialup Admin utility. Perhaps I am missing some additional configuration/passwords are not being saved or authenticated using the right format?
Any help is much appreciated!
