freeradius拒绝nas的chap认证请求，但radtest使用chap认证成功

pisces-h2

具体情况
1、freeradius的公网ip:2xx.10x.8x.184,端口1812，共享密钥N2I455di
2、测试的用户名1385xxx6695，密码为123456
3、在另外一台linux服务器上（公网ip为2xx.10x.8x.189，：非freeradius的服务器），使用radtest测试，结果成功
客户端报文为：
radtest  -t chap 1385xxx6695 123456 2xx.10x.8x.184 1812 N2I455di
Sending Access-Request of id 178 to 2xx.10x.8x.184 port 1812
        User-Name = "1385xxx6695"
        CHAP-Password = 0xb221c88e6a68f6a1ed95d8203ec447c0e3
        NAS-IP-Address = 2xx.10x.8x.189
        NAS-Port = 1812
        Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 2xx.10x.8x.184 port 1812, id=178, length=38
        Service-Type = Framed-User
        Framed-IP-Netmask = 255.255.255.0
        Framed-MTU = 1400
radius端报文为：
rad_recv: Access-Request packet from host 2xx.10x.8x.189 port 39441, id=37, length=82
        User-Name = "1385xxx6695"
        CHAP-Password = 0x25362bbbf1fa415426f09f13cd55968ae4
        NAS-IP-Address = 2xx.10x.8x.189
        NAS-Port = 1812
        Message-Authenticator = 0x8429d0746df8db58334e013f63233d3e
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "1385xxx6695", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql]   expand: %{User-Name} -> 1385xxx6695
[sql] sql_set_user escaped user --> '1385xxx6695'
rlm_sql (sql): Reserving sql socket id: 3
[sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '5x.yy.2xx.xx'           ORDER BY id
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '1385xxx6695'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = '1385xxx6695'           ORDER BY priority
[sql]   expand: SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = 'deji'           ORDER BY id
[sql] User found in group deji
[sql]   expand: SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = 'deji'           ORDER BY id
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = CHAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password.     !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"               !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group CHAP {...}
[chap] login attempt by "1385xxx6695" with CHAP password
[chap] Using clear text password "123456" for user 1385xxx6695 authentication.
[chap] chap user 1385xxx6695 authenticated succesfully
++[chap] returns ok
Login OK: [5x.yy.2xx.xx/<CHAP-Password>] (from client xinjiekou port 1812)
# Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 37 to 180.111.147.215 port 39441
        Service-Type = Framed-User
        Framed-IP-Netmask := 255.255.255.0
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 180.111.147.215 port 39441, id=37, length=82
Sending duplicate reply to client xinjiekou port 39441 - ID: 37
Sending Access-Accept of id 37 to 180.111.147.215 port 39441
Waking up in 4.9 seconds.
Cleaning up request 0 ID 37 with timestamp +15
Ready to process requests.
4、但，在nas上（一台ac），配置了portal，还是使用这个用户名和密码，就是报错
radius端的报文如下：
rad_recv: Access-Request packet from host 5x.yy.2xx.xx port 1066, id=175, length=226
        User-Name = "1385xxx6695"
        CHAP-Password = 0xaf6166941cb998e1cff8a678c397feb403
        CHAP-Challenge = 0xafa58c82377cd0fcc92b7e01c9917f3c
        NAS-Identifier = "guloubeiji"
        NAS-IP-Address = 5x.yy.2xx.xx
        NAS-Port = 582
        NAS-Port-Type = Wireless-802.11
        NAS-Port-Id = "wifitest"
        Framed-IP-Address = 1cc.rr.xx.yy
        Framed-MTU = 1400
        Symbol-Current-ESSID = "wifitest"
        Symbol-Attr-4 = 0x323437
        Connect-Info = "CONNECT -Mbps 802.11g"
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "1385xxx6695", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql]   expand: %{User-Name} -> 1385xxx6695
[sql] sql_set_user escaped user --> '1385xxx6695'
rlm_sql (sql): Reserving sql socket id: 3
[sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '1385xxx6695'           ORDER BY id
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '1385xxx6695'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = '1385xxx6695'           ORDER BY priority
[sql]   expand: SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           Value, op           FROM radgroupcheck           WHERE groupname = 'deji'           ORDER BY id
[sql] User found in group deji
[sql]   expand: SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = '%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, attribute,           value, op           FROM radgroupreply           WHERE groupname = 'deji'           ORDER BY id
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = CHAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password.     !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"               !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group CHAP {...}
[chap] login attempt by "1385xxx6695" with CHAP password
[chap] Using clear text password "123456" for user 1385xxx6695 authentication.
[chap] Password check failed
++[chap] returns reject
Failed to authenticate the user.
Login incorrect (rlm_chap: Wrong user password): [1385xxx6695/<CHAP-Password>] (from client xinjiekou port 582 cli 00-F4-B9-CB-E9-F4)
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> 1385xxx6695
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 175 to 5x.yy.2xx.xx port 1066
Waking up in 4.9 seconds.
Cleaning up request 0 ID 175 with timestamp +275
Ready to process requests.

太郁闷了，求解。。
去freeradius的官网上想找一个完整的freeradius的文档都难。。

czqwust

你好，请问你的第二种是使用freeradius client库进行的认证吗？