ERROR: pap : Cleartext password does not match "known good" password

Wed May 11 12:53:36 CEST 2016

> User-Password = '20c9d081bcc3'
[...]
> | 55 | 20C9D081BCC3 | Cleartext-Password | := | 20C9D081BCC3      |

they do not match...

On Wed, May 11, 2016 at 12:42 PM, orion doty <orion.doty at gmail.com> wrote:

> I don't understand what is happening to the password as I can see it
> correctly in the access request.   I also would have expected to see the
> password on this line just before the error:
>
>
> (0)  Auth-Type PAP {
>
> (0)  pap : Login attempt with password [SHOULDN'T THE PASSWORD BE HERE???
> IT IS NOT]
>
>
>
> Here is the full output (minus the IP addresses):
>
> Received Access-Request Id 8 from X:18852 to X:1812 length 107
>
> User-Name = '20c9d081bcc3'
>
> User-Password = '20c9d081bcc3'
>
> NAS-Identifier = '58-B6-33-1A-7D-20'
>
> NAS-IP-Address = X
>
> Service-Type = Login-User
>
> NAS-Port-Type = Wireless-802.11
>
> Message-Authenticator = 0xafa4b69194ca031fd61fa4c300b0198c
>
> (0) Received Access-Request packet from host X port 18852, id=8, length=107
>
> (0) User-Name = '20c9d081bcc3'
>
> (0) User-Password = '20c9d081bcc3'
>
> (0) NAS-Identifier = '58-B6-33-1A-7D-20'
>
> (0) NAS-IP-Address = X
>
> (0) Service-Type = Login-User
>
> (0) NAS-Port-Type = Wireless-802.11
>
> (0) Message-Authenticator = 0xafa4b69194ca031fd61fa4c300b0198c
>
> (0) # Executing section authorize from file
> /etc/raddb/sites-enabled/default
>
> (0)   authorize {
>
> (0)   filter_username filter_username {
>
> (0)     if (!&User-Name)
>
> (0)     if (!&User-Name)  -> FALSE
>
> (0)     if (&User-Name =~ / /)
>
> (0)     if (&User-Name =~ / /)  -> FALSE
>
> (0)     if (&User-Name =~ /@.*@/ )
>
> (0)     if (&User-Name =~ /@.*@/ )  -> FALSE
>
> (0)     if (&User-Name =~ /\\.\\./ )
>
> (0)     if (&User-Name =~ /\\.\\./ )  -> FALSE
>
> (0)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
>
> (0)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   ->
> FALSE
>
> (0)     if (&User-Name =~ /\\.$/)
>
> (0)     if (&User-Name =~ /\\.$/)   -> FALSE
>
> (0)     if (&User-Name =~ /@\\./)
>
> (0)     if (&User-Name =~ /@\\./)   -> FALSE
>
> (0)   } # filter_username filter_username = notfound
>
> (0)   [preprocess] = ok
>
> (0)  sql : EXPAND %{User-Name}
>
> (0)  sql :    --> 20c9d081bcc3
>
> (0)  sql : SQL-User-Name set to '20c9d081bcc3'
>
> rlm_sql (sql): Reserved connection (4)
>
> (0)  sql : EXPAND SELECT id, username, attribute, value, op FROM radcheck
> WHERE username = '%{SQL-User-Name}' ORDER BY id
>
> (0)  sql :    --> SELECT id, username, attribute, value, op FROM radcheck
> WHERE username = '20c9d081bcc3' ORDER BY id
>
> rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op
> FROM radcheck WHERE username = '20c9d081bcc3' ORDER BY id'
>
> (0)  sql : User found in radcheck table
>
> (0)  sql : Check items matched
>
> (0)  sql : EXPAND SELECT id, username, attribute, value, op FROM radreply
> WHERE username = '%{SQL-User-Name}' ORDER BY id
>
> (0)  sql :    --> SELECT id, username, attribute, value, op FROM radreply
> WHERE username = '20c9d081bcc3' ORDER BY id
>
> rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op
> FROM radreply WHERE username = '20c9d081bcc3' ORDER BY id'
>
> (0)  sql : User found in radreply table
>
> (0)  sql : EXPAND SELECT groupname FROM radusergroup WHERE username =
> '%{SQL-User-Name}' ORDER BY priority
>
> (0)  sql :    --> SELECT groupname FROM radusergroup WHERE username =
> '20c9d081bcc3' ORDER BY priority
>
> rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE
> username = '20c9d081bcc3' ORDER BY priority'
>
> (0)  sql : User not found in any groups
>
> rlm_sql (sql): Released connection (4)
>
> (0)   [sql] = ok
>
> (0)    if (notfound)
>
> (0)    if (notfound)  -> FALSE
>
> (0)  expiration : Account will expire at 'May 12 2016 13:00:00 UTC'
>
> (0)   [expiration] = ok
>
> (0)    if (userlock)
>
> (0)    if (userlock)  -> FALSE
>
> (0)   [logintime] = noop
>
> (0)   [pap] = updated
>
> (0)  } #  authorize = updated
>
> (0) Found Auth-Type = PAP
>
> (0) # Executing group from file /etc/raddb/sites-enabled/default
>
> (0)  Auth-Type PAP {
>
> (0)  pap : Login attempt with password
>
> *(0)  ERROR: pap : Cleartext password does not match "known good" password*
>
> (0)  pap : Passwords don't match
>
> (0)   [pap] = reject
>
> (0)  } # Auth-Type PAP = reject
>
> (0) Failed to authenticate the user
>
> (0) Using Post-Auth-Type Reject
>
> (0) # Executing group from file /etc/raddb/sites-enabled/default
>
> (0)  Post-Auth-Type REJECT {
>
> (0)  attr_filter.access_reject : EXPAND %{User-Name}
>
> (0)  attr_filter.access_reject :    --> 20c9d081bcc3
>
> (0)  attr_filter.access_reject : Matched entry DEFAULT at line 11
>
> (0)   [attr_filter.access_reject] = updated
>
> (0)  } # Post-Auth-Type REJECT = updated
>
> (0) Delaying response for 1 seconds
>
> Waking up in 0.3 seconds.
>
> Waking up in 0.6 seconds.
>
> (0) Sending delayed response
>
> Waking up in 3.9 seconds.
>
> (0) Cleaning up request packet ID 8 with timestamp +6
>
>
> of note:  records in the mysql radcheck table related to the user
>
>
> | 54 | 20C9D081BCC3 | Expiration         | := | 12 May 2016 13:00 |
>
> | 55 | 20C9D081BCC3 | Cleartext-Password | := | 20C9D081BCC3      |
>
> | 56 | 20C9D081BCC3 | Site-Id            | := | LAB               |
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

-- 
"Madness, like small fish, runs in hosts, in vast numbers of instances."

Nessuno mi pettina bene come il vento.