radtest fails with Access-Rejected

Thu Sep 21 18:34:22 CEST 2017

Hi all,

First, a bit of background:
I've had this freeradius server working well for months.  I built it, with
Google Authenticator for two-factor authentication.  I integrated it with
my Dell Sonicwall to implement SSLVPN with two-factor authentication.

All that was working fine.  Yesterday, I needed to rebuild my AWS VPC
(Virtual PRovate Cloud) so we could add a VPN tunnel from another office,
which had conflicting IP address ranges, so, I built a new VPC and
re-launched my freeradius servers into the new VPC, and stuff stopped
working.

I'm not sure what's going on here, but even a simple radtest fails.

This is:
[ec2-user at tfa-primary ~]$ /usr/sbin/radiusd -v
radiusd: FreeRADIUS Version 3.0.13, for host x86_64-redhat-linux-gnu, built
on Jul 17 2017 at 06:58:38
FreeRADIUS Version 3.0.13

When I run radtest, I get:
[ec2-user at tfa-primary ~]$ radtest mbobak Welcome123816449 127.0.0.1:1812 0
NiTs#@\!xyzzy
Sent Access-Request Id 36 from 0.0.0.0:51762 to 127.0.0.1:1812 length 76
        User-Name = "mbobak"
        User-Password = "Welcome123816449"
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = "Welcome123816449"
Received Access-Reject Id 36 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
(0) -: Expected Access-Accept got Access-Reject

Which doesn't seem to really indicate anything specific, that I can see.

When I run radiusd with '-X' option and execute 'radtest', I get:
(19) Received Access-Request Id 36 from 127.0.0.1:51762 to 127.0.0.1:1812
length 76
(19)   User-Name = "mbobak"
(19)   User-Password = "Welcome123816449"
(19)   NAS-IP-Address = 127.0.1.1
(19)   NAS-Port = 0
(19)   Message-Authenticator = 0xcbae6be380f42f0e8bbff9e2419d229b
(19) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(19)   authorize {
(19)     policy filter_username {
(19)       if (&User-Name) {
(19)       if (&User-Name)  -> TRUE
(19)       if (&User-Name)  {
(19)         if (&User-Name =~ / /) {
(19)         if (&User-Name =~ / /)  -> FALSE
(19)         if (&User-Name =~ /@[^@]*@/ ) {
(19)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(19)         if (&User-Name =~ /\.\./ ) {
(19)         if (&User-Name =~ /\.\./ )  -> TRUE
(19)         if (&User-Name =~ /\.\./ )  {
(19)           update request {
(19)             &Module-Failure-Message += 'Rejected: User-Name contains
multiple ..s'
(19)           } # update request = noop
(19)           [reject] = reject
(19)         } # if (&User-Name =~ /\.\./ )  = reject
(19)       } # if (&User-Name)  = reject
(19)     } # policy filter_username = reject
(19)   } # authorize = reject
(19) Using Post-Auth-Type Reject
(19) # Executing group from file /etc/raddb/sites-enabled/default
(19)   Post-Auth-Type REJECT {
(19) attr_filter.access_reject: EXPAND %{User-Name}
(19) attr_filter.access_reject:    --> mbobak
(19) attr_filter.access_reject: Matched entry DEFAULT at line 11
(19)     [attr_filter.access_reject] = updated
(19)     [eap] = noop
(19)     policy remove_reply_message_if_eap {
(19)       if (&reply:EAP-Message && &reply:Reply-Message) {
(19)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(19)       else {
(19)         [noop] = noop
(19)       } # else = noop
(19)     } # policy remove_reply_message_if_eap = noop
(19)   } # Post-Auth-Type REJECT = updated
(19) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(19) Sending delayed response
(19) Sent Access-Reject Id 36 from 127.0.0.1:1812 to 127.0.0.1:51762 length
20
Waking up in 3.9 seconds.
(19) Cleaning up request packet ID 36 with timestamp +5768
Ready to process requests

Can someone offer me a clue?

Thanks!

-Mark