module fails parsing output, expecting operator

Richard Green richard.green at unsw.edu.au
Mon Jan 27 10:38:16 CET 2020 

I am seeking help with an error parsing the output from an external exec program with FreeRADIUS 3 (a similar configuration, albeit some file movements for the updated config, worked without a problem with FreeRADIUS 2). The external exec program (/usr/local/bin/multiotp.php) seem to return a valid response (which is the same as for the working configuration for version 2), however FreeRADIUS 3 reports a parsing error at this point.

I've been using successfully using FreeRADIUS 2 for a while with MultiOTP to provide an authentication component where the password is a TOTP token and the username is synchronised with an Active Directory and am attempting to upgrade to FreeRADIUS 3.

My debug log is as follows:

.
.
.
(1) auth_log:    --> Mon Jan 27 09:08:08 2020
(1)     [auth_log] = ok
(1)     [chap] = noop
(1) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
(1)     [mschap] = ok
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "johnboy", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1) eap: No EAP-Message, not doing EAP
(1)     [eap] = noop
(1)     [expiration] = noop
(1)     [logintime] = noop
(1) multiotp: Executing: /usr/local/bin/multiotp.php '%{User-Name}' '%{User-Password}' -request-nt-key -src=%{Packet-Src-IP-Address} -chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password} -ms-chap-challenge=%{MS-CHAP-Challenge} -ms-chap-response=%{MS-CHAP-Response} -ms-chap2-response=%{MS-CHAP2-Response}:
(1) multiotp: EXPAND %{User-Name}
(1) multiotp:    --> johnboy
(1) multiotp: EXPAND %{User-Password}
(1) multiotp:    -->
(1) multiotp: EXPAND -src=%{Packet-Src-IP-Address}
(1) multiotp:    --> -src=127.0.0.1
(1) multiotp: EXPAND -chap-challenge=%{CHAP-Challenge}
(1) multiotp:    --> -chap-challenge=
(1) multiotp: EXPAND -chap-password=%{CHAP-Password}
(1) multiotp:    --> -chap-password=
(1) multiotp: EXPAND -ms-chap-challenge=%{MS-CHAP-Challenge}
(1) multiotp:    --> -ms-chap-challenge=0x5c1ed153a00f704f                                                                                                                                                                                                                                                                                                   [8/1872]
(1) multiotp: EXPAND -ms-chap-response=%{MS-CHAP-Response}
(1) multiotp:    --> -ms-chap-response=0x0001000000000000000000000000000000000000000000000000e6a71cf3f91b0c6218c456823e92d63ff58359976f0c272a
(1) multiotp: EXPAND -ms-chap2-response=%{MS-CHAP2-Response}
(1) multiotp:    --> -ms-chap2-response=
(1) multiotp: ERROR: Failed parsing output from: /usr/local/bin/multiotp.php '%{User-Name}' '%{User-Password}' -request-nt-key -src=%{Packet-Src-IP-Address} -chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password} -ms-chap-challenge=%{MS-CHAP-Challenge} -ms-chap-response=%{MS-CHAP-Response} -ms-chap2-response=%{MS-CHAP2-Response}: Expecting opera
tor
(1) multiotp: ERROR: Program returned code (0) and output 'Filter-Id += "Erica-Users",NT_KEY: EBEEE229885004ACEA55894DFDC1272D  '
(1)     [multiotp] = fail
(1)   } # authorize = fail
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1)   Post-Auth-Type REJECT {
.
.
.

(Note the wiki page https://wiki.freeradius.org/guide/multiOTP-HOWTO discusses version 3 but seems to reference version 2 file names, so is only useful as a guideline).

Thanks!

Richard Green
UNSW Sydney

More information about the Freeradius-Users mailing list