Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - klaas

Pages1
#1
Virtual private networks / Re: FreeRadius password storing
April 30, 2021, 07:54:46 PM
Ideally it would be nice if it could be somehow changed to a SHA256 hash or better  ;D

testuser6 Sha2-Password := "fdf4344add3e9931cb5b487f6ea3b108ba4518507ff3a6e0a97d39625c795627"
#2
Virtual private networks / FreeRadius password storing
April 30, 2021, 03:51:22 PM
Hi,

I have a fully functioning FreeRadius OPNsense plugin running for my VPN customers, but I don't like the fact that passwords are by default stored as clear text in the /usr/local/etc/raddb/users file. I am using the VLAN and network attributes of the FreeRadius plugin, so its not an option to use an external system.

What are my options to locally store passwords hashed or encrypted on the OPNsense firewall and still be able to use Network/VLAN attribute?

/Klavs
#3
Virtual private networks / Re: FreeRadius problems creating users
April 09, 2021, 04:17:08 PM
 :o duh - the shared secret was wrong on the server  :-[

It is actually in this debug output
(0) WARNING: Unprintable characters in the password.  Double-check the shared secret on the server and the NAS!
::)

Thanks for your help
#4
Virtual private networks / Re: FreeRadius problems creating users
April 08, 2021, 04:16:49 PM
As requested I have tested with radtest
Below debug output session (0) is with radtest and session (1) is with Windows 10 OpenVPN client

radtest testuser1 12345678 localhost 0 12345678
Sent Access-Request Id 155 from 0.0.0.0:52787 to 127.0.0.1:1812 length 79
        User-Name = "testuser1"
        User-Password = "12345678"
        NAS-IP-Address = 10.10.111.2
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = "12345678"
Received Access-Accept Id 155 from 127.0.0.1:1812 to 127.0.0.1:52787 length 64
        Framed-IP-Netmask = 255.255.255.0
        Framed-Route = "172.16.1.0/24"
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "101"
        Framed-Protocol = PPP


Ready to process requests
(0) Received Access-Request Id 53 from 127.0.0.1:41022 to 127.0.0.1:1812 length 79
(0)   User-Name = "testuser1"
(0)   User-Password = "12345678"
(0)   NAS-IP-Address = 10.10.111.2
(0)   NAS-Port = 0
(0)   Message-Authenticator = 0x74c9804f6bf09946ad22a5fdded96e8c
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "testuser1", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0) files: users: Matched entry testuser1 at line 2
(0)     [files] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0)     [pap] = updated
(0)   } # authorize = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0)   Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known good" Cleartext-Password
(0) pap: User authenticated successfully
(0)     [pap] = ok
(0)   } # Auth-Type PAP = ok
(0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(0)   post-auth {
(0)     update {
(0)       No attributes updated for RHS &session-state:
(0)     } # update = noop
(0)     [exec] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # post-auth = noop
(0) Login OK: [testuser1/12345678] (from client FreeRadius_local port 0)
(0) Sent Access-Accept Id 53 from 127.0.0.1:1812 to 127.0.0.1:41022 length 0
(0)   Framed-IP-Netmask = 255.255.255.0
(0)   Framed-Route = "172.16.1.0/24"
(0)   Tunnel-Type = VLAN
(0)   Tunnel-Medium-Type = IEEE-802
(0)   Tunnel-Private-Group-Id = "101"
(0)   Framed-Protocol = PPP
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 53 with timestamp +8
Ready to process requests
(1) Received Access-Request Id 235 from 127.0.0.1:51763 to 127.0.0.1:1812 length 88
(1)   User-Name = "testuser1"
(1)   Service-Type = Login-User
(1)   Framed-Protocol = 15
(1)   NAS-Identifier = "60436b3466861"
(1)   NAS-Port = 0
(1)   NAS-Port-Type = Ethernet
(1)   User-Password = "4\002\235\225Zz\322NhesTH\3365\376"
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = notfound
(1)     } # policy filter_username = notfound
(1)     [preprocess] = ok
(1)     [chap] = noop
(1)     [mschap] = noop
(1)     [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "testuser1", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1) eap: No EAP-Message, not doing EAP
(1)     [eap] = noop
(1) files: users: Matched entry testuser1 at line 2
(1)     [files] = ok
(1)     [expiration] = noop
(1)     [logintime] = noop
(1)     [pap] = updated
(1)   } # authorize = updated
(1) Found Auth-Type = PAP
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1)   Auth-Type PAP {
(1) pap: Login attempt with password
(1) pap: Comparing with "known good" Cleartext-Password
(1) pap: ERROR: Cleartext password does not match "known good" password
(1) pap: Passwords don't match
(1)     [pap] = reject
(1)   } # Auth-Type PAP = reject
(1) Failed to authenticate the user
(1) WARNING: Unprintable characters in the password.  Double-check the shared secret on the server and the NAS!
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1)   Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject:    --> testuser1
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1)     [attr_filter.access_reject] = updated
(1)     [eap] = noop
(1)     policy remove_reply_message_if_eap {
(1)       if (&reply:EAP-Message && &reply:Reply-Message) {
(1)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(1)       else {
(1)         [noop] = noop
(1)       } # else = noop
(1)     } # policy remove_reply_message_if_eap = noop
(1)   } # Post-Auth-Type REJECT = updated
(1) Login incorrect (pap: Cleartext password does not match "known good" password): [testuser1/4???Zz?NhesTH?5?] (from client FreeRadius_local port 0)
#5
Virtual private networks / FreeRadius - Windows OpenVPN client cannot authenticate
April 07, 2021, 03:43:59 PM
Hi,

I have a problem with the Windows 10 OpenVPN client.
I have two OpenVPN servers setup in my OPNsense firewall.
The first OpenVPN server is using the internal user database and this works fine with the Windows 10 OpenVPN client.
The other OpenVPN server is using the OPNsense freeradius plug and cannot authenticate. See OPNsense freeradius plugin debug output below.

In this thread I have installed the patch for 21.1.4, https://forum.opnsense.org/index.php?topic=22387.0

But as you can see the password is still completely garbled:
(0) Received Access-Request Id 91 from 127.0.0.1:27719 to 127.0.0.1:1812 length 88
(0)   User-Name = "testuser1"
(0)   Service-Type = Login-User
(0)   Framed-Protocol = 15
(0)   NAS-Identifier = "60436b3466861"
(0)   NAS-Port = 0
(0)   NAS-Port-Type = Ethernet
(0)   User-Password = "\321\001D\030\371hS:)\342\357{D\033<CD><8C>"
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "testuser1", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0) files: users: Matched entry testuser1 at line 2
(0)     [files] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0)     [pap] = updated
(0)   } # authorize = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0)   Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known good" Cleartext-Password
(0) pap: ERROR: Cleartext password does not match "known good" password
(0) pap: Passwords don't match
(0)     [pap] = reject
(0)   } # Auth-Type PAP = reject
(0) Failed to authenticate the user
(0) WARNING: Unprintable characters in the password.  Double-check the shared secret on the server and the NAS!
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> testuser1
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0)     [eap] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # Post-Auth-Type REJECT = updated
(0) Login incorrect (pap: Cleartext password does not match "known good" password): [testuser1/??D??hS:)??{D?<CD><8C>] (from client FreeRadius_local port 0)
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 91 from 127.0.0.1:1812 to 127.0.0.1:27719 length 20
Waking up in 3.9 seconds.
(0) Sending duplicate reply to client FreeRadius_local port 27719 - ID: 91
Waking up in 8.9 seconds.
(0) Sending duplicate reply to client FreeRadius_local port 27719 - ID: 91
Waking up in 18.9 seconds.
(0) Cleaning up request packet ID 91 with timestamp +173
#6
Virtual private networks / Re: FreeRadius plugin - problems authenticating users
April 06, 2021, 08:32:49 AM
I applied the patch for the tester, but as I stated in my post above, I see the same behavior also using the OpenVPN client (this was not completely clear).

Also see my comment in this thread, https://forum.opnsense.org/index.php?topic=22387.0
#7
Virtual private networks / FreeRadius plugin - problems authenticating users
April 05, 2021, 03:35:29 PM
Hi,

When I authenticate using OpenVPN and the local freeradius plugin, the password looks garbled.
I have tried both with local system->access->tester (I have applied the patch) and also with OpenVPN and the result is the same.  I might also just add that I have OpenVPN working just fine with the local user database.

Below is the debug output from freeradius, with garbled password in bold:
(1) Received Access-Request Id 240 from 127.0.0.1:39381 to 127.0.0.1:1812 length 88
(1)   User-Name = "testuser1"
(1)   Service-Type = Login-User
(1)   Framed-Protocol = 15
(1)   NAS-Identifier = "60436b3466861"
(1)   NAS-Port = 0
(1)   NAS-Port-Type = Ethernet
(1)   User-Password = "\007\225m\324 \350\320r\212s\025\276\255\254N\210"
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = notfound
(1)     } # policy filter_username = notfound
(1)     [preprocess] = ok
(1)     [chap] = noop
(1)     [mschap] = noop
(1)     [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "testuser1", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1) eap: No EAP-Message, not doing EAP
(1)     [eap] = noop
(1) files: users: Matched entry testuser1 at line 2
(1)     [files] = ok
(1)     [expiration] = noop
(1)     [logintime] = noop
(1)     [pap] = updated
(1)   } # authorize = updated
(1) Found Auth-Type = PAP
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1)   Auth-Type PAP {
(1) pap: Login attempt with password
(1) pap: Comparing with "known good" Cleartext-Password
(1) pap: ERROR: Cleartext password does not match "known good" password
(1) pap: Passwords don't match
(1)     [pap] = reject
(1)   } # Auth-Type PAP = reject
(1) Failed to authenticate the user
(1) WARNING: Unprintable characters in the password.  Double-check the shared secret on the server and the NAS!
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1)   Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject:    --> testuser1
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1)     [attr_filter.access_reject] = updated
(1)     [eap] = noop
(1)     policy remove_reply_message_if_eap {
(1)       if (&reply:EAP-Message && &reply:Reply-Message) {
(1)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(1)       else {
(1)         [noop] = noop
(1)       } # else = noop
(1)     } # policy remove_reply_message_if_eap = noop
(1)   } # Post-Auth-Type REJECT = updated
(1) Login incorrect (pap: Cleartext password does not match "known good" password): [testuser1/??m? ??r?s????N?] (from client FreeRadius_local port 0)
(1) Delaying response for 1.000000 seconds
#8
Virtual private networks / External FreeRadius Attribute-Value Pairs
April 03, 2021, 10:14:26 AM
Hi,

I have an external freeradius server setup and I can authenticate just fine from opnsense.
I get the following response:
(2) Sent Access-Accept Id 66 from 172.31.254.103:1812 to 172.31.254.1:18478 length 0
(2)   Tunnel-Type = VLAN
(2)   Tunnel-Medium-Type = IEEE-802
(2)   Tunnel-Private-Group-Id = "101"
(2)   Framed-Protocol = PPP
(2)   Framed-Route = "172.16.1.0/24"

But opnsense seems to ignore the Attribute-Value Pairs.
Is is possible to use Attribute-Value Pairs for external freeradius to lock a user into a specific network and VLAN ID?

/Klavs
#9
Virtual private networks / Re: FreeRadius problems creating users
March 31, 2021, 01:54:58 PM
radtest is working

radtest testuser1 12345678 localhost 0 12345678
Received Access-Accept Id 247 from 127.0.0.1:1812 to 127.0.0.1:2468 length 47
        Framed-IP-Netmask = 255.255.255.0
        Framed-Route = "172.16.1.0/24"
        Framed-Protocol = PPP
#10
Virtual private networks / Re: FreeRadius problems creating users
March 31, 2021, 01:40:29 PM
Awesome the patch worked, but unfortunately I still have issues for my first user. The user is still the same as above.

The tester now gives me this:
The following input errors were detected:

Authentication failed.

FreeRadius debug output:
(0) Received Access-Request Id 117 from 127.0.0.1:52678 to 127.0.0.1:1812 length 88
(0)   User-Name = "testuser1"
(0)   Service-Type = Login-User
(0)   Framed-Protocol = 15
(0)   NAS-Identifier = "60436b3466861"
(0)   NAS-Port = 0
(0)   NAS-Port-Type = Ethernet
(0)   User-Password = "\013\265\263\250\031u\276s\363=e\357d\363\204k"
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "testuser1", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0) files: users: Matched entry testuser1 at line 2
(0)     [files] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0)     [pap] = updated
(0)   } # authorize = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0)   Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known good" Cleartext-Password
(0) pap: ERROR: Cleartext password does not match "known good" password
(0) pap: Passwords don't match
(0)     [pap] = reject
(0)   } # Auth-Type PAP = reject
(0) Failed to authenticate the user
(0) WARNING: Unprintable characters in the password.  Double-check the shared secret on the server and the NAS!
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> testuser1
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0)     [eap] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # Post-Auth-Type REJECT = updated
(0) Login incorrect (pap: Cleartext password does not match "known good" password): [testuser1/?????u?s?=e?d??k] (from client FreeRadius_local port 0)
(0) Delaying response for 1.000000 seconds
#11
Virtual private networks / Re: FreeRadius problems creating users
March 31, 2021, 12:32:53 PM
Let me try the patch....
#12
Virtual private networks / FreeRadius problems creating users
March 31, 2021, 11:30:47 AM
Hi,

I have a project where I would like to use FreeRadius/OpenVPN to create users through the API and be able to manage the VLAN and network routes by each individual user.
But I am facing issues adding users both through the UI and the FreeRadius API.
Currently I am focusing on just getting the UI to work, then I will go back and test the API.

This the current state:
OpenSense firmware version is 21.1.4
I have created a client in the UI and this user is correctly updated in /usr/local/etc/raddb/clients.conf
client "FreeRadius_local" {.....}

I have created two users in the UI and I can find the users in the config /conf/config.xml
<freeradius>
...
          <user uuid="01911552-c3d2-43ad-b1ef-d3d1021a4bbf">
            <enabled>1</enabled>
            <username>testuser1</username>
            <password>12345678</password>
            <description>test</description>
            <ip/>
            <subnet>255.255.255.0</subnet>
            <route>172.16.1.0/24</route>
            <ip6/>
            <vlan>101</vlan>
            <logintime/>
            <simuse/>
            <wispr_bw_min_up/>
            <wispr_bw_max_up/>
            <wispr_bw_min_down/>
            <wispr_bw_max_down/>
            <chillispot_bw_max_up/>
            <chillispot_bw_max_down/>
            <mikrotik_vlan_id_number/>
            <mikrotik_vlan_id_type/>
            <sessionlimit_max_session_limit/>
            <servicetype/>
            <linkedAVPair/>
          </user>
          <user uuid="00b257ec-1558-4cb7-a6d7-1e87a741cf9b">
            <enabled>1</enabled>
            <username>testuser2</username>
            <password>12345678</password>
            <description>test2</description>
            <ip/>
            <subnet>255.255.255.0</subnet>
            <route>172.16.2.0/24</route>
            <ip6/>
            <vlan>102</vlan>
            <logintime/>
            <simuse/>
            <wispr_bw_min_up/>
            <wispr_bw_max_up/>
            <wispr_bw_min_down/>
            <wispr_bw_max_down/>
            <chillispot_bw_max_up/>
            <chillispot_bw_max_down/>
            <mikrotik_vlan_id_number/>
            <mikrotik_vlan_id_type/>
            <sessionlimit_max_session_limit/>
            <servicetype/>
            <linkedAVPair/>
          </user>
...
</freeradius>

But in /usr/local/etc/raddb/users only the first user us created!  :(
root@vpnaccess:/usr/local/etc/raddb # cat users

testuser1  Cleartext-Password := "12345678"
       Framed-IP-Netmask = 172.16.1.1,
       Framed-Protocol = PPP


DEFAULT Framed-Protocol == PPP
        Framed-Protocol = PPP,
        Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == "CSLIP"
        Framed-Protocol = SLIP,
        Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == "SLIP"
        Framed-Protocol = SLIP

Running freeradius in debug mode, /usr/local/sbin/radiusd -X and testing with System->Access->Tester

I get this error in the browser:
Fatal error: Uncaught Error: Call to undefined method OPNsense\Auth\Radius::getLastAuthErrors() in /usr/local/www/diag_authentication.php:76 Stack trace: #0 {main} thrown in /usr/local/www/diag_authentication.php on line 76

And below from FreeRadius debug mode:
(2) Received Access-Request Id 195 from 127.0.0.1:19292 to 127.0.0.1:1812 length 88
(2)   User-Name = "testuser1"
(2)   Service-Type = Login-User
(2)   Framed-Protocol = 15
(2)   NAS-Identifier = "60436b3466861"
(2)   NAS-Port = 0
(2)   NAS-Port-Type = Ethernet
(2)   User-Password = "\357\350I\t\207\313d\243\347\333M\376h\343q\027"
(2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(2)   authorize {
(2)     policy filter_username {
(2)       if (&User-Name) {
(2)       if (&User-Name)  -> TRUE
(2)       if (&User-Name)  {
(2)         if (&User-Name =~ / /) {
(2)         if (&User-Name =~ / /)  -> FALSE
(2)         if (&User-Name =~ /@[^@]*@/ ) {
(2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(2)         if (&User-Name =~ /\.\./ ) {
(2)         if (&User-Name =~ /\.\./ )  -> FALSE
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(2)         if (&User-Name =~ /\.$/)  {
(2)         if (&User-Name =~ /\.$/)   -> FALSE
(2)         if (&User-Name =~ /@\./)  {
(2)         if (&User-Name =~ /@\./)   -> FALSE
(2)       } # if (&User-Name)  = notfound
(2)     } # policy filter_username = notfound
(2)     [preprocess] = ok
(2)     [chap] = noop
(2)     [mschap] = noop
(2)     [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "testuser1", looking up realm NULL
(2) suffix: No such realm "NULL"
(2)     [suffix] = noop
(2) eap: No EAP-Message, not doing EAP
(2)     [eap] = noop
(2) files: users: Matched entry testuser1 at line 2
(2)     [files] = ok
(2)     [expiration] = noop
(2)     [logintime] = noop
(2)     [pap] = updated
(2)   } # authorize = updated
(2) Found Auth-Type = PAP
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(2)   Auth-Type PAP {
(2) pap: Login attempt with password
(2) pap: Comparing with "known good" Cleartext-Password
(2) pap: ERROR: Cleartext password does not match "known good" password
(2) pap: Passwords don't match
(2)     [pap] = reject
(2)   } # Auth-Type PAP = reject
(2) Failed to authenticate the user
(2) WARNING: Unprintable characters in the password.  Double-check the shared secret on the server and the NAS!
(2) Using Post-Auth-Type Reject
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(2)   Post-Auth-Type REJECT {
(2) attr_filter.access_reject: EXPAND %{User-Name}
(2) attr_filter.access_reject:    --> testuser1
(2) attr_filter.access_reject: Matched entry DEFAULT at line 11
(2)     [attr_filter.access_reject] = updated
(2)     [eap] = noop
(2)     policy remove_reply_message_if_eap {
(2)       if (&reply:EAP-Message && &reply:Reply-Message) {
(2)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(2)       else {
(2)         [noop] = noop
(2)       } # else = noop
(2)     } # policy remove_reply_message_if_eap = noop
(2)   } # Post-Auth-Type REJECT = updated
(2) Login incorrect (pap: Cleartext password does not match "known good" password): [testuser1/??I      ??d???M?h?q?] (from client FreeRadius_local port 0)
(2) Delaying response for 1.000000 seconds

For some reason the password for the first user is garbled.  :(

I hope you can help with an otherwise great product  :)
Pages1