Author Topic: FreeRadius problems creating users (Read 21668 times)

klaas · « **on:** March 31, 2021, 11:30:47 am »

Hi,

I have a project where I would like to use FreeRadius/OpenVPN to create users through the API and be able to manage the VLAN and network routes by each individual user.
But I am facing issues adding users both through the UI and the FreeRadius API.
Currently I am focusing on just getting the UI to work, then I will go back and test the API.

This the current state:
OpenSense firmware version is 21.1.4
I have created a client in the UI and this user is correctly updated in /usr/local/etc/raddb/clients.conf
client "FreeRadius_local" {.....}

I have created two users in the UI and I can find the users in the config /conf/config.xml
<freeradius>
...
<user uuid="01911552-c3d2-43ad-b1ef-d3d1021a4bbf">
<enabled>1</enabled>
<username>testuser1</username>
<password>12345678</password>
<description>test</description>
<ip/>
<subnet>255.255.255.0</subnet>
<route>172.16.1.0/24</route>
<ip6/>
<vlan>101</vlan>
<logintime/>
<simuse/>
<wispr_bw_min_up/>
<wispr_bw_max_up/>
<wispr_bw_min_down/>
<wispr_bw_max_down/>
<chillispot_bw_max_up/>
<chillispot_bw_max_down/>
<mikrotik_vlan_id_number/>
<mikrotik_vlan_id_type/>
<sessionlimit_max_session_limit/>
<servicetype/>
<linkedAVPair/>
</user>
<user uuid="00b257ec-1558-4cb7-a6d7-1e87a741cf9b">
<enabled>1</enabled>
<username>testuser2</username>
<password>12345678</password>
<description>test2</description>
<ip/>
<subnet>255.255.255.0</subnet>
<route>172.16.2.0/24</route>
<ip6/>
<vlan>102</vlan>
<logintime/>
<simuse/>
<wispr_bw_min_up/>
<wispr_bw_max_up/>
<wispr_bw_min_down/>
<wispr_bw_max_down/>
<chillispot_bw_max_up/>
<chillispot_bw_max_down/>
<mikrotik_vlan_id_number/>
<mikrotik_vlan_id_type/>
<sessionlimit_max_session_limit/>
<servicetype/>
<linkedAVPair/>
</user>
...
</freeradius>

But in /usr/local/etc/raddb/users only the first user us created!

root@vpnaccess:/usr/local/etc/raddb # cat users

testuser1 Cleartext-Password := "12345678"
Framed-IP-Netmask = 172.16.1.1,
Framed-Protocol = PPP

DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP

Running freeradius in debug mode, /usr/local/sbin/radiusd -X and testing with System->Access->Tester

I get this error in the browser:
Fatal error: Uncaught Error: Call to undefined method OPNsense\Auth\Radius::getLastAuthErrors() in /usr/local/www/diag_authentication.php:76 Stack trace: #0 {main} thrown in /usr/local/www/diag_authentication.php on line 76

And below from FreeRadius debug mode:
(2) Received Access-Request Id 195 from 127.0.0.1:19292 to 127.0.0.1:1812 length 88
(2) User-Name = "testuser1"
(2) Service-Type = Login-User
(2) Framed-Protocol = 15
(2) NAS-Identifier = "60436b3466861"
(2) NAS-Port = 0
(2) NAS-Port-Type = Ethernet
(2) User-Password = "\357\350I\t\207\313d\243\347\333M\376h\343q\027"
(2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "testuser1", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: No EAP-Message, not doing EAP
(2) [eap] = noop
(2) files: users: Matched entry testuser1 at line 2
(2) [files] = ok
(2) [expiration] = noop
(2) [logintime] = noop
(2) [pap] = updated
(2) } # authorize = updated
(2) Found Auth-Type = PAP
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(2) Auth-Type PAP {
(2) pap: Login attempt with password
(2) pap: Comparing with "known good" Cleartext-Password
(2) pap: ERROR: Cleartext password does not match "known good" password
(2) pap: Passwords don't match
(2) [pap] = reject
(2) } # Auth-Type PAP = reject
(2) Failed to authenticate the user
(2) WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
(2) Using Post-Auth-Type Reject
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(2) Post-Auth-Type REJECT {
(2) attr_filter.access_reject: EXPAND %{User-Name}
(2) attr_filter.access_reject: --> testuser1
(2) attr_filter.access_reject: Matched entry DEFAULT at line 11
(2) [attr_filter.access_reject] = updated
(2) [eap] = noop
(2) policy remove_reply_message_if_eap {
(2) if (&reply:EAP-Message && &reply:Reply-Message) {
(2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(2) else {
(2) [noop] = noop
(2) } # else = noop
(2) } # policy remove_reply_message_if_eap = noop
(2) } # Post-Auth-Type REJECT = updated
(2) Login incorrect (pap: Cleartext password does not match "known good" password): [testuser1/??I ??d???M?h?q?] (from client FreeRadius_local port 0)
(2) Delaying response for 1.000000 seconds

For some reason the password for the first user is garbled.

I hope you can help with an otherwise great product

mimugmail · « **Reply #1 on:** March 31, 2021, 12:27:46 pm »

The local tester has a known bug introduced with 21.1.4. Do you want to apply a patch or wait for 21.1.5?

klaas · « **Reply #2 on:** March 31, 2021, 12:32:53 pm »

Let me try the patch....

mimugmail · « **Reply #3 on:** March 31, 2021, 01:28:16 pm »

https://github.com/opnsense/core/commit/a7ae8c4373d66984a83ab29e2fa0db3bfe0b922d

mimugmail · « **Reply #4 on:** March 31, 2021, 01:29:48 pm »

https://forum.opnsense.org/index.php?topic=22370.msg106314;topicseen#msg106314

klaas · « **Reply #5 on:** March 31, 2021, 01:40:29 pm »

Awesome the patch worked, but unfortunately I still have issues for my first user. The user is still the same as above.

The tester now gives me this:
The following input errors were detected:

Authentication failed.

FreeRadius debug output:
(0) Received Access-Request Id 117 from 127.0.0.1:52678 to 127.0.0.1:1812 length 88
(0) User-Name = "testuser1"
(0) Service-Type = Login-User
(0) Framed-Protocol = 15
(0) NAS-Identifier = "60436b3466861"
(0) NAS-Port = 0
(0) NAS-Port-Type = Ethernet
(0) User-Password = "\013\265\263\250\031u\276s\363=e\357d\363\204k"
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "testuser1", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: users: Matched entry testuser1 at line 2
(0) [files] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) [pap] = updated
(0) } # authorize = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known good" Cleartext-Password
(0) pap: ERROR: Cleartext password does not match "known good" password
(0) pap: Passwords don't match
(0) [pap] = reject
(0) } # Auth-Type PAP = reject
(0) Failed to authenticate the user
(0) WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> testuser1
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Login incorrect (pap: Cleartext password does not match "known good" password): [testuser1/?

?u?s?=e?d??k] (from client FreeRadius_local port 0)
(0) Delaying response for 1.000000 seconds

klaas · « **Reply #6 on:** March 31, 2021, 01:54:58 pm »

radtest is working

radtest testuser1 12345678 localhost 0 12345678
Received Access-Accept Id 247 from 127.0.0.1:1812 to 127.0.0.1:2468 length 47
Framed-IP-Netmask = 255.255.255.0
Framed-Route = "172.16.1.0/24"
Framed-Protocol = PPP

mimugmail · « **Reply #7 on:** April 07, 2021, 05:32:10 pm »

When using debug (radiusd -x), how does it look with radtest?

mimugmail · « **Reply #8 on:** April 07, 2021, 05:51:08 pm »

I just tried with password like 45te22mQQQ and this worked fine

klaas · « **Reply #9 on:** April 08, 2021, 04:16:49 pm »

As requested I have tested with radtest
Below debug output session (0) is with radtest and session (1) is with Windows 10 OpenVPN client

radtest testuser1 12345678 localhost 0 12345678 Sent Access-Request Id 155 from 0.0.0.0:52787 to 127.0.0.1:1812 length 79 User-Name = "testuser1" User-Password = "12345678" NAS-IP-Address = 10.10.111.2 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "12345678" Received Access-Accept Id 155 from 127.0.0.1:1812 to 127.0.0.1:52787 length 64 Framed-IP-Netmask = 255.255.255.0 Framed-Route = "172.16.1.0/24" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "101" Framed-Protocol = PPP

Ready to process requests
(0) Received Access-Request Id 53 from 127.0.0.1:41022 to 127.0.0.1:1812 length 79
(0) User-Name = "testuser1"
(0) User-Password = "12345678"
(0) NAS-IP-Address = 10.10.111.2
(0) NAS-Port = 0
(0) Message-Authenticator = 0x74c9804f6bf09946ad22a5fdded96e8c
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "testuser1", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: users: Matched entry testuser1 at line 2
(0) [files] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) [pap] = updated
(0) } # authorize = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known good" Cleartext-Password
(0) pap: User authenticated successfully
(0) [pap] = ok
(0) } # Auth-Type PAP = ok
(0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(0) post-auth {
(0) update {
(0) No attributes updated for RHS &session-state:
(0) } # update = noop
(0) [exec] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # post-auth = noop
(0) Login OK: [testuser1/12345678] (from client FreeRadius_local port 0)
(0) Sent Access-Accept Id 53 from 127.0.0.1:1812 to 127.0.0.1:41022 length 0
(0) Framed-IP-Netmask = 255.255.255.0
(0) Framed-Route = "172.16.1.0/24"
(0) Tunnel-Type = VLAN
(0) Tunnel-Medium-Type = IEEE-802
(0) Tunnel-Private-Group-Id = "101"
(0) Framed-Protocol = PPP
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 53 with timestamp +8
Ready to process requests
(1) Received Access-Request Id 235 from 127.0.0.1:51763 to 127.0.0.1:1812 length 88
(1) User-Name = "testuser1"
(1) Service-Type = Login-User
(1) Framed-Protocol = 15
(1) NAS-Identifier = "60436b3466861"
(1) NAS-Port = 0
(1) NAS-Port-Type = Ethernet
(1) User-Password = "4\002\235\225Zz\322NhesTH\3365\376"
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "testuser1", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: No EAP-Message, not doing EAP
(1) [eap] = noop
(1) files: users: Matched entry testuser1 at line 2
(1) [files] = ok
(1) [expiration] = noop
(1) [logintime] = noop
(1) [pap] = updated
(1) } # authorize = updated
(1) Found Auth-Type = PAP
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) Auth-Type PAP {
(1) pap: Login attempt with password
(1) pap: Comparing with "known good" Cleartext-Password
(1) pap: ERROR: Cleartext password does not match "known good" password
(1) pap: Passwords don't match
(1) [pap] = reject
(1) } # Auth-Type PAP = reject
(1) Failed to authenticate the user
(1) WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject: --> testuser1
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1) [attr_filter.access_reject] = updated
(1) [eap] = noop
(1) policy remove_reply_message_if_eap {
(1) if (&reply:EAP-Message && &reply:Reply-Message) {
(1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(1) else {
(1) [noop] = noop
(1) } # else = noop
(1) } # policy remove_reply_message_if_eap = noop
(1) } # Post-Auth-Type REJECT = updated
(1) Login incorrect (pap: Cleartext password does not match "known good" password): [testuser1/4???Zz?NhesTH?5?] (from client FreeRadius_local port 0)

klaas · « **Reply #10 on:** April 09, 2021, 04:17:08 pm »

duh - the shared secret was wrong on the server

It is actually in this debug output
(0) WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!

Thanks for your help

Author Topic: FreeRadius problems creating users (Read 21668 times)

klaas

FreeRadius problems creating users

mimugmail

Re: FreeRadius problems creating users

klaas

Re: FreeRadius problems creating users

mimugmail

Re: FreeRadius problems creating users

mimugmail

Re: FreeRadius problems creating users

klaas

Re: FreeRadius problems creating users

klaas

Re: FreeRadius problems creating users

mimugmail

Re: FreeRadius problems creating users

mimugmail

Re: FreeRadius problems creating users

klaas

Re: FreeRadius problems creating users

klaas

Re: FreeRadius problems creating users