FreeRadius plugin - problems authenticating users

[klaas]

Hi,

When I authenticate using OpenVPN and the local freeradius plugin, the password looks garbled.
I have tried both with local system->access->tester (I have applied the patch) and also with OpenVPN and the result is the same.  I might also just add that I have OpenVPN working just fine with the local user database.

Below is the debug output from freeradius, with garbled password in bold:
(1) Received Access-Request Id 240 from 127.0.0.1:39381 to 127.0.0.1:1812 length 88
(1)   User-Name = "testuser1"
(1)   Service-Type = Login-User
(1)   Framed-Protocol = 15
(1)   NAS-Identifier = "60436b3466861"
(1)   NAS-Port = 0
(1)   NAS-Port-Type = Ethernet
(1)   User-Password = "\007\225m\324 \350\320r\212s\025\276\255\254N\210"
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = notfound
(1)     } # policy filter_username = notfound
(1)     [preprocess] = ok
(1)     [chap] = noop
(1)     [mschap] = noop
(1)     [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "testuser1", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1) eap: No EAP-Message, not doing EAP
(1)     [eap] = noop
(1) files: users: Matched entry testuser1 at line 2
(1)     [files] = ok
(1)     [expiration] = noop
(1)     [logintime] = noop
(1)     [pap] = updated
(1)   } # authorize = updated
(1) Found Auth-Type = PAP
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1)   Auth-Type PAP {
(1) pap: Login attempt with password
(1) pap: Comparing with "known good" Cleartext-Password
(1) pap: ERROR: Cleartext password does not match "known good" password
(1) pap: Passwords don't match
(1)     [pap] = reject
(1)   } # Auth-Type PAP = reject
(1) Failed to authenticate the user
(1) WARNING: Unprintable characters in the password.  Double-check the shared secret on the server and the NAS!
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1)   Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject:    --> testuser1
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1)     [attr_filter.access_reject] = updated
(1)     [eap] = noop
(1)     policy remove_reply_message_if_eap {
(1)       if (&reply:EAP-Message && &reply:Reply-Message) {
(1)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(1)       else {
(1)         [noop] = noop
(1)       } # else = noop
(1)     } # policy remove_reply_message_if_eap = noop
(1)   } # Post-Auth-Type REJECT = updated
(1) Login incorrect (pap: Cleartext password does not match "known good" password): [testuser1/??m? ??r?s????N?] (from client FreeRadius_local port 0)
(1) Delaying response for 1.000000 seconds

[mimugmail]

Known issue in 21.1.4 and only for the tester. Will be fixed with next version

[klaas]

I applied the patch for the tester, but as I stated in my post above, I see the same behavior also using the OpenVPN client (this was not completely clear).

Also see my comment in this thread, https://forum.opnsense.org/index.php?topic=22387.0