Dell PowerConnect W Clearpass 100 Software RADIUS Troubleshooting TechNote - Page 5

Tech Note - RADIUS Troubleshooting Version 0.9 There are 2 things to note: 1. When using PAP, it is impossible to distinguish between an incorrect shared secret and an incorrect user password. But in 2 out of 3 cases above the problem is the shared secret is wrong, not that the password is wrong. 2. When using CHAP, if the shared secret is incorrect the server is still able to authenticate and returns Access-Accept! This is believed to be a result of the Message-Authenticator attribute was not present in our test scenario ; when this attribute is present in requests from the client, the RADIUS server is able to use it to determine if the shared secret is in fact correct or not (as the Message- Authenticator value is calculated using the shared secret, if it's wrong then a mismatch will occur). It is understood that when using Message-Authenticator the server will log a message about the shared secret being incorrect. Moral of the story: When debugging a RADIUS authentication problem, one of the FIRST steps should ALWAYS be to check and reset the shared secrets for clients if necessary. This is likely to solve 90% of authentication problems. Complete logs are below for reference: Correct Password - Correct shared secret - CHAP Ready to process requests. rad_recv: Access-Request packet from host 192.168.2.3:2388, id=1, length=76 User-Name = "[email protected]" CHAP-Password = 0x742779bdd72bef15defaf90121a2807799 Calling-Station-Id = "00-17-31-57-d8-78" rlm_chap: Setting 'Auth-Type := CHAP' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username='[email protected]' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = rlm_sql_postgresql: query: SELECT radgroupcheck.id, radgroupcheck.GroupName, radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op ??FROM radgroupcheck, usergroup WHERE usergroup.Username = '[email protected]' AND usergroup.GroupName = radgroupcheck.GroupName ??ORDER BY radgroupcheck.id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username='[email protected]' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = rlm_sql_postgresql: query: SELECT radgroupreply.id, radgroupreply.GroupName, radgroupreply.Attribute, radgroupreply.Value, radgroupreply.Op ??FROM radgroupreply,usergroup WHERE usergroup.Username = '[email protected]' AND usergroup.GroupName = radgroupreply.GroupName ??ORDER BY radgroupreply.id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = rlm_sql (sql): Released sql socket id: 3 rlm_chap: login attempt by "[email protected]" with CHAP password rlm_chap: Using clear text password password for user [email protected] authentication. rlm_chap: chap user [email protected] authenticated succesfully Exec-Program: /usr/bin/php /opt/amigopod/www/amigopod_request.php 2 1 Exec-Program-Wait: value-pairs: Reply-Message = "Guest", Session-Timeout = 874, Exec-Program: returned: 0 Login OK: [[email protected]] (from client hydra port 0 cli 00-17-31-57-d8-78) rlm_sql (sql): Processing sql_postauth rlm_sql (sql): Reserving sql socket id: 2 rlm_sql_postgresql: query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('[email protected]', 'Chap-Password', 'Access-Accept', NOW()) rlm_sql_postgresql: Status: PGRES_COMMAND_OK rlm_sql_postgresql: affected rows = 1 rlm_sql (sql): Released sql socket id: 2 Sending Access-Accept of id 1 to 192.168.2.3 port 2388 Reply-Message = "Guest" Session-Timeout = 874 Correct Password - Correct shared secret - PAP CONFIDENTIAL 5