From d73e9c0803ceb33e27e0a404fcf10b59efa88b09 Mon Sep 17 00:00:00 2001
From: ionutboangiu <ionut.boangiu@itsyscom.com>
Date: Thu, 8 Jan 2026 18:57:25 +0200
Subject: [PATCH] radagent: use MS-CHAP2-Response for MSCHAPv2

MSCHAPv2 authentication was looking for the wrong RADIUS attribute. Per
RFC 2548, MSCHAPv2 uses MS-CHAP2-Response (vendor-type 25), not
MS-CHAP-Response (vendor-type 1, which is for v1).

Ref: #4962
---
 agents/librad.go           | 4 ++--
 agents/radagent.go         | 2 +-
 agents/radagent_it_test.go | 8 ++++----
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/agents/librad.go b/agents/librad.go
index 5dca60354..ef9cad0c7 100644
--- a/agents/librad.go
+++ b/agents/librad.go
@@ -127,9 +127,9 @@ func radauthReq(flags utils.FlagsWithParams, req *radigo.Packet, aReq *AgentRequ
 		if len(msChallenge) == 0 {
 			return false, utils.NewErrMandatoryIeMissing(MSCHAPChallengeAVP)
 		}
-		msResponse := req.AttributesWithName(MSCHAPResponseAVP, MicrosoftVendor)
+		msResponse := req.AttributesWithName(MSCHAP2ResponseAVP, MicrosoftVendor)
 		if len(msResponse) == 0 {
-			return false, utils.NewErrMandatoryIeMissing(MSCHAPResponseAVP)
+			return false, utils.NewErrMandatoryIeMissing(MSCHAP2ResponseAVP)
 		}
 		vsaMSResponde := msResponse[0].Value.(*radigo.VSA).RawValue
 		vsaMSChallange := msChallenge[0].Value.(*radigo.VSA).RawValue
diff --git a/agents/radagent.go b/agents/radagent.go
index 7b359baad..0442374a4 100644
--- a/agents/radagent.go
+++ b/agents/radagent.go
@@ -45,7 +45,7 @@ const (
 	UserPasswordAVP    = "User-Password"
 	CHAPPasswordAVP    = "CHAP-Password"
 	MSCHAPChallengeAVP = "MS-CHAP-Challenge"
-	MSCHAPResponseAVP  = "MS-CHAP-Response"
+	MSCHAP2ResponseAVP = "MS-CHAP2-Response"
 	MicrosoftVendor    = "Microsoft"
 	MSCHAP2SuccessAVP  = "MS-CHAP2-Success"
 )
diff --git a/agents/radagent_it_test.go b/agents/radagent_it_test.go
index d52798653..ba4e64ff4 100644
--- a/agents/radagent_it_test.go
+++ b/agents/radagent_it_test.go
@@ -704,7 +704,7 @@ func testRAitAuthMSCHAPV2Success(t *testing.T) {
 	if err != nil {
 		t.Error(err)
 	}
-	if err := authReq.AddAVPWithName("MS-CHAP-Response", string(respVal), "Microsoft"); err != nil {
+	if err := authReq.AddAVPWithName("MS-CHAP2-Response", string(respVal), "Microsoft"); err != nil {
 		t.Error(err)
 	}
 	if err := authReq.AddAVPWithName("Service-Type", "SIP-Caller-AVPs", ""); err != nil {
@@ -768,7 +768,7 @@ func testRAitAuthMSCHAPV2SuccessTCP(t *testing.T) {
 	if err != nil {
 		t.Error(err)
 	}
-	if err := authReq.AddAVPWithName("MS-CHAP-Response", string(respVal), "Microsoft"); err != nil {
+	if err := authReq.AddAVPWithName("MS-CHAP2-Response", string(respVal), "Microsoft"); err != nil {
 		t.Error(err)
 	}
 	if err := authReq.AddAVPWithName("Service-Type", "SIP-Caller-AVPs", ""); err != nil {
@@ -831,7 +831,7 @@ func testRAitAuthMSCHAPV2Fail(t *testing.T) {
 	if err != nil {
 		t.Error(err)
 	}
-	if err := authReq.AddAVPWithName("MS-CHAP-Response", string(respVal), "Microsoft"); err != nil {
+	if err := authReq.AddAVPWithName("MS-CHAP2-Response", string(respVal), "Microsoft"); err != nil {
 		t.Error(err)
 	}
 	if err := authReq.AddAVPWithName("Service-Type", "SIP-Caller-AVPs", ""); err != nil {
@@ -886,7 +886,7 @@ func testRAitAuthMSCHAPV2FailTCP(t *testing.T) {
 	if err != nil {
 		t.Error(err)
 	}
-	if err := authReq.AddAVPWithName("MS-CHAP-Response", string(respVal), "Microsoft"); err != nil {
+	if err := authReq.AddAVPWithName("MS-CHAP2-Response", string(respVal), "Microsoft"); err != nil {
 		t.Error(err)
 	}
 	if err := authReq.AddAVPWithName("Service-Type", "SIP-Caller-AVPs", ""); err != nil {