Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CHAP Method For Radius

    Scheduled Pinned Locked Moved Captive Portal
    18 Posts 5 Posters 12.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jeroen234
      last edited by

      chap2 is suported
      if have it with pfsense beta2 and freeradius

      1 Reply Last reply Reply Quote 0
      • A
        alexus
        last edited by

        jeroen234, I have Beta2 but I dont see the option anywhere to enable CHAP2 besides what do yoo mean MS CHAP v2? (Because I never herad of regular CHAP v2)

        hoba, thne what protocol is used in the Monowal?

        1 Reply Last reply Reply Quote 0
        • J
          jeroen234
          last edited by

          you enable the chap  protocol in youre radius server
          by making the passwords in the  chap v1/v2 protocol way

          freeradius has this standaard

          pfsense + freeradius package is also using the chap v1/v2 format when using the pfsense freeradius userbase

          1 Reply Last reply Reply Quote 0
          • A
            alexus
            last edited by

            so in freeradius config I have to chane
            CHAP{
            authentication = chap2
            }

            or what?

            1 Reply Last reply Reply Quote 0
            • J
              jeroen234
              last edited by

              # under MODULES, make sure mschap is uncommented!
                  mschap {
                    # authtype value, if present, will be used
                    # to overwrite (or add) Auth-Type during
                    # authorization. Normally, should be MS-CHAP
                    authtype = MS-CHAP

              # if use_mppe is not set to no, mschap will
                    # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
                    # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
                    #
                    use_mppe = yes

              # if mppe is enabled, require_encryption makes
                    # encryption moderate
                    #
                    require_encryption = yes

              # require_strong always requires 128 bit key
                    # encryption
                    #
                    require_strong = yes

              authtype = MS-CHAP
                    # The module can perform authentication itself, OR
                    # use a Windows Domain Controller. See the radius.conf file
                    # for how to do this.
                  }

              authorize {
                      preprocess
                      mschap
              suffix
              eap
              files
                  }

              authenticate {

              #
                      #  MSCHAP authentication.   
                      Auth-Type MS-CHAP {
                            mschap
                        }

              #  Allow EAP authentication.
                      eap
                  }

              1 Reply Last reply Reply Quote 0
              • A
                alexus
                last edited by

                oh ok, so its MS CHAP afterall, let me try that

                Thanks!

                1 Reply Last reply Reply Quote 0
                • J
                  jeroen234
                  last edited by

                  in youre users file you have this to use chap v1 on windows 95/98 or chap v2 on higher windows versions

                  "testuser"      User-Password == "Secret149"

                  when you crypt youre passwordts the chap protocol will fail

                  1 Reply Last reply Reply Quote 0
                  • A
                    alexus
                    last edited by

                    Ive edited the config withe the settings you provided, but it still says that username is invalis, aslo for some reason the captive portal doesnt send Auth-Type = MS-CHAP… ?

                    1 Reply Last reply Reply Quote 0
                    • J
                      jeroen234
                      last edited by

                      all captive portals send auth type = local
                      this is normal
                      check the bigining of youre users file angainst myne
                      i think i have atherd there a thing to make vpn and portal working on pfsense

                      i  think it was somfing with system

                      # DEFAULT entries match with all login names.
                      # Note that DEFAULT entries can also Fall-Through (see first entry).
                      # A name-value pair from a DEFAULT entry will _NEVER_ override
                      # an already existing name-value pair.
                      #
                      
                      #
                      # First setup all accounts to be checked against the UNIX /etc/passwd.
                      # (Unless a password was already given earlier in this file).
                      #
                      #DEFAULT	Auth-Type = System
                      #	Fall-Through = 1
                      
                      #
                      # Set up different IP address pools for the terminal servers.
                      # Note that the "+" behind the IP address means that this is the "base"
                      # IP address. The Port-Id (S0, S1 etc) will be added to it.
                      #
                      #DEFAULT	Service-Type == Framed-User, Huntgroup-Name == "alphen"
                      #		Framed-IP-Address = 192.168.1.32+,
                      #		Fall-Through = Yes
                      
                      #DEFAULT	Service-Type == Framed-User, Huntgroup-Name == "delft"
                      #		Framed-IP-Address = 192.168.2.32+,
                      #		Fall-Through = Yes
                      
                      #
                      # Defaults for all framed connections.
                      #
                      DEFAULT	Service-Type == Framed-User
                      	Framed-IP-Address = 255.255.255.254,
                      	Framed-MTU = 576,
                      	Service-Type = Framed-User,
                      	Fall-Through = Yes
                      
                      #
                      # Default for PPP: dynamic IP address, PPP mode, VJ-compression.
                      # NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected
                      #	by the terminal server in which case there may not be a "P" suffix.
                      #	The terminal server sends "Framed-Protocol = PPP" for auto PPP.
                      #
                      DEFAULT	Framed-Protocol == PPP
                      	Framed-Protocol = PPP,
                      	Framed-Compression = Van-Jacobson-TCP-IP
                      
                      #
                      
                      
                      1 Reply Last reply Reply Quote 0
                      • A
                        alexus
                        last edited by

                        I just looked through the USERS file and it looks exactly the same as yours. I dont know what to do…

                        1 Reply Last reply Reply Quote 0
                        • J
                          jeroen234
                          last edited by

                          oke so system passwords are disabled that is good

                          start freeradius with
                          radiusd -x
                          or with freeradius -x
                          then try loggin in trouw the portal and look at the error that freeradius is giving in its screen

                          1 Reply Last reply Reply Quote 0
                          • A
                            alexus
                            last edited by

                            yea I am ruuning in the debug mode, and there are no errors, and at the end it says, password is invalid… and it sends Access-Reject
                            I'm lost now...  is there a soft client that send MS-CHAP Access Requests?

                            1 Reply Last reply Reply Quote 0
                            • A
                              alexus
                              last edited by

                              just spoke with people from Mono they say it uses PAP…
                              hoba, do you know what version of Mono are u using? 1.20 or 1.21?

                              1 Reply Last reply Reply Quote 0
                              • S
                                sullrich
                                last edited by

                                1.21

                                1 Reply Last reply Reply Quote 0
                                • A
                                  aldo
                                  last edited by

                                  it does use pap only.

                                  just add authtpe=pap

                                  in your radius configuration should work depending on your backend it is really no worse than chap.
                                  if you are paranoid and an stunnel from you NAS to your radius backend

                                  1 Reply Last reply Reply Quote 0
                                  • A
                                    alexus
                                    last edited by

                                    actually I had to use Auth-Type== local, instead of system which is defult… in that case it will fall through all local modules installed

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.