Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
FreeRadius plugin - problems authenticating users
« previous
next »
Print
Pages: [
1
]
Author
Topic: FreeRadius plugin - problems authenticating users (Read 1669 times)
klaas
Newbie
Posts: 12
Karma: 0
FreeRadius plugin - problems authenticating users
«
on:
April 05, 2021, 03:35:29 pm »
Hi,
When I authenticate using OpenVPN and the local freeradius plugin, the password looks garbled.
I have tried both with local system->access->tester (I have applied the patch) and also with OpenVPN and the result is the same. I might also just add that I have OpenVPN working just fine with the local user database.
Below is the debug output from freeradius, with garbled password in
bold
:
(1) Received Access-Request Id 240 from 127.0.0.1:39381 to 127.0.0.1:1812 length 88
(1) User-Name = "testuser1"
(1) Service-Type = Login-User
(1) Framed-Protocol = 15
(1) NAS-Identifier = "60436b3466861"
(1) NAS-Port = 0
(1) NAS-Port-Type = Ethernet
(1)
User-Password = "\007\225m\324 \350\320r\212s\025\276\255\254N\210"
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "testuser1", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: No EAP-Message, not doing EAP
(1) [eap] = noop
(1) files: users: Matched entry testuser1 at line 2
(1) [files] = ok
(1) [expiration] = noop
(1) [logintime] = noop
(1) [pap] = updated
(1) } # authorize = updated
(1) Found Auth-Type = PAP
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) Auth-Type PAP {
(1) pap: Login attempt with password
(1) pap: Comparing with "known good" Cleartext-Password
(1) pap: ERROR: Cleartext password does not match "known good" password
(1) pap: Passwords don't match
(1) [pap] = reject
(1) } # Auth-Type PAP = reject
(1) Failed to authenticate the user
(1) WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject: --> testuser1
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1) [attr_filter.access_reject] = updated
(1) [eap] = noop
(1) policy remove_reply_message_if_eap {
(1) if (&reply:EAP-Message && &reply:Reply-Message) {
(1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(1) else {
(1) [noop] = noop
(1) } # else = noop
(1) } # policy remove_reply_message_if_eap = noop
(1) } # Post-Auth-Type REJECT = updated
(1) Login incorrect (pap: Cleartext password does not match "known good" password):
[testuser1/??m? ??r?s????N?]
(from client FreeRadius_local port 0)
(1) Delaying response for 1.000000 seconds
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: FreeRadius plugin - problems authenticating users
«
Reply #1 on:
April 05, 2021, 06:28:09 pm »
Known issue in 21.1.4 and only for the tester. Will be fixed with next version
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
klaas
Newbie
Posts: 12
Karma: 0
Re: FreeRadius plugin - problems authenticating users
«
Reply #2 on:
April 06, 2021, 08:32:49 am »
I applied the patch for the tester, but as I stated in my post above, I see the same behavior also using the OpenVPN client (this was not completely clear).
Also see my comment in this thread,
https://forum.opnsense.org/index.php?topic=22387.0
«
Last Edit: April 06, 2021, 10:03:15 am by klaas
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
FreeRadius plugin - problems authenticating users