"0x" in front of Clear-text password

Eric Aguilar agueric at gmail.com
Fri Oct 8 02:40:11 CEST 2021


Hello,

We have Freeradius 3 running successfully - we updated from Freeradius 2 a
couple months ago. We encountered a problem with NAS running Coovachilli
for captive portal authentication which was working before. Even if the
uamsecret is not set SQL logs the radcheck attempt with the correct
password but with a leading "0x" - it seems it is rejecting the access
request due to that 0x being in front.

Is there a way to modify freeradius to strip that "0x" so that we can get
successful authentication or maybe force taking CHAP-Password parameter as
User-Password?

Please let me know if I should ask differently or include some more
information.

Here is the debug file:

Ready to process requests
(0) Received Access-Request Id 60 from 187.168.34.159:48641 to
172.31.36.39:1812 length 162
(0)   User-Name = "06-CC-C6-1E-6B-09"
(0)   CHAP-Password = 0x7c2e341f7fa12820b2605223bac6c307
(0)   CHAP-Challenge = 0x047808cb6d147b8d77d3116a0cfa6498
(0)   Calling-Station-Id = "06-CC-C6-1E-6B-09"
(0)   Called-Station-Id = "00-1A-DD-7A-E1-80"
(0)   Service-Type = Login-User
(0)   NAS-Port-Type = Wireless-802.11
(0)   NAS-Identifier = "myNas"
(0)   Acct-Session-Id = "615f44bb00000000"
(0)   NAS-Port = 0
(0)   NAS-IP-Address = 192.168.101.166
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "06-CC-C6-1E-6B-09", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0) sql: EXPAND %{User-Name}
(0) sql:    --> 06-CC-C6-1E-6B-09
(0) sql: SQL-User-Name set to '06-CC-C6-1E-6B-09'
rlm_sql (sql): Closing connection (0): Hit idle_timeout, was idle for 78
seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 78
seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 78
seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for 78
seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (4): Hit idle_timeout, was idle for 78
seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (5): Hit idle_timeout, was idle for 78
seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (6): Hit idle_timeout, was idle for 78
seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (7): Hit idle_timeout, was idle for 78
seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (8): Hit idle_timeout, was idle for 78
seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (9): Hit idle_timeout, was idle for 78
seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): 0 of 0 connections in use.  You  may need to increase "spare"
rlm_sql (sql): Opening additional connection (10), 1 of 128 pending slots
used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on
radiuscg.us-east-2.rds.amazonaws.com via TCP/IP, server version 5.7.33-log,
protocol version 10
rlm_sql (sql): Reserved connection (10)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql:    --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '06-CC-C6-1E-6B-09' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '06-CC-C6-1E-6B-09' ORDER BY id
(0) sql: User found in radcheck table
(0) sql: Conditional check items matched, merging assignment check items
(0) sql:   Cleartext-Password := "7c2e341f7fa12820b2605223bac6c307"
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply
WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql:    --> SELECT id, username, attribute, value, op FROM radreply
WHERE username = '06-CC-C6-1E-6B-09' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op
FROM radreply WHERE username = '06-CC-C6-1E-6B-09' ORDER BY id
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(0) sql:    --> SELECT groupname FROM radusergroup WHERE username =
'06-CC-C6-1E-6B-09' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE
username = '06-CC-C6-1E-6B-09' ORDER BY priority
(0) sql: User not found in any groups
rlm_sql (sql): Released connection (10)
Need 2 more connections to reach min connections (3)
rlm_sql (sql): Opening additional connection (11), 1 of 127 pending slots
used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on
radiuscg.us-east-2.rds.amazonaws.com via TCP/IP, server version 5.7.33-log,
protocol version 10
(0)     [sql] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: No User-Password attribute in the request.  Cannot do PAP
(0)     [pap] = noop
(0)   } # authorize = ok
(0) WARNING: Please update your configuration, and remove 'Auth-Type =
Local'
(0) WARNING: Use the PAP or CHAP modules instead
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0) sql: EXPAND .query
(0) sql:    --> .query
(0) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (10)
(0) sql: EXPAND %{User-Name}
(0) sql:    --> 06-CC-C6-1E-6B-09
(0) sql: SQL-User-Name set to '06-CC-C6-1E-6B-09'
(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S')
(0) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( '06-CC-C6-1E-6B-09', '0x7c2e341f7fa12820b2605223bac6c307',
'Access-Reject', '2021-10-07 19:04:27.702763')
(0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( '06-CC-C6-1E-6B-09',
'0x7c2e341f7fa12820b2605223bac6c307', 'Access-Reject', '2021-10-07
19:04:27.702763')
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (10)
(0)     [sql] = ok
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> 06-CC-C6-1E-6B-09
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0)     [eap] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.2 seconds.
Waking up in 0.7 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 60 from 172.31.36.39:1812 to 187.168.34.159:48641
length 20
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 60 with timestamp +78
Ready to process requests
(1) Received Accounting-Request Id 60 from 201.113.6.173:5630 to
172.31.36.39:1813 length 169
(1)   Acct-Status-Type = Start
(1)   NAS-Port-Type = Wireless-802.11
(1)   Calling-Station-Id = "D4:62:EA:42:E1:E2"
(1)   Called-Station-Id = "6C:3B:6B:FA:1A:8F"
(1)   NAS-Port-Id = "hotspot"
(1)   User-Name = "D4-62-EA-42-E1-E2"
(1)   NAS-Port = 2153812177
(1)   Acct-Session-Id = "806090d1"
(1)   Framed-IP-Address = 10.5.50.164
(1)   Mikrotik-Host-IP = 10.5.50.164
(1)   Event-Timestamp = "Oct  7 2021 19:11:03 UTC"
(1)   NAS-Identifier = "6C:3B:6B:FA:1A:8F"
(1)   Acct-Delay-Time = 0
(1)   NAS-IP-Address = 192.168.1.67
(1) # Executing section preacct from file /etc/raddb/sites-enabled/default
(1)   preacct {
(1)     [preprocess] = ok
(1)     policy acct_unique {
(1)       update request {
(1)         &Tmp-String-9 := "ai:"
(1)       } # update request = noop
(1)       if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(1)       EXPAND %{hex:&Class}
(1)          -->
(1)       EXPAND ^%{hex:&Tmp-String-9}
(1)          --> ^61693a
(1)       if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i))  -> FALSE
(1)       else {
(1)         update request {
(1)           EXPAND
%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(1)              --> 7f054881202d112c62658b7b3b7c059e
(1)           &Acct-Unique-Session-Id := 7f054881202d112c62658b7b3b7c059e
(1)         } # update request = noop
(1)       } # else = noop
(1)     } # policy acct_unique = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "D4-62-EA-42-E1-E2", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1)     [files] = noop
(1)   } # preacct = ok
(1) # Executing section accounting from file
/etc/raddb/sites-enabled/default
(1)   accounting {
(1) detail: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(1) detail:    --> /var/log/radius/radacct/201.113.6.173/detail-20211007
(1) detail:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
expands to /var/log/radius/radacct/201.113.6.173/detail-20211007
(1) detail: EXPAND %t
(1) detail:    --> Thu Oct  7 19:12:44 2021
(1)     [detail] = ok
(1)     [unix] = ok
(1) sql: EXPAND %{tolower:type.%{Acct-Status-Type}.query}
(1) sql:    --> type.start.query
(1) sql: Using query template 'query'
rlm_sql (sql): Closing connection (11): Hit idle_timeout, was idle for 497
seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (10): Hit idle_timeout, was idle for 497
seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): 0 of 0 connections in use.  You  may need to increase "spare"
rlm_sql (sql): Opening additional connection (12), 1 of 128 pending slots
used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on
radiuscg.us-east-2.rds.amazonaws.com via TCP/IP, server version 5.7.33-log,
protocol version 10
rlm_sql (sql): Reserved connection (12)
(1) sql: EXPAND %{User-Name}
(1) sql:    --> D4-62-EA-42-E1-E2
(1) sql: SQL-User-Name set to 'D4-62-EA-42-E1-E2'
(1) sql: EXPAND INSERT INTO radacct (acctsessionid,
acctuniqueid,           username, realm,                    nasipaddress,
         nasportid, nasporttype,         acctstarttime,
 acctupdatetime, acctstoptime,           acctsessiontime,
acctauthentic, connectinfo_start,       connectinfo_stop,
acctinputoctets, acctoutputoctets,      calledstationid,
callingstationid, acctterminatecause,   servicetype,
 framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}',
'%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}',
FROM_UNIXTIME(%{integer:Event-Timestamp}),
FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}',
'%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}')
(1) sql:    --> INSERT INTO radacct (acctsessionid,
acctuniqueid,           username, realm,                    nasipaddress,
         nasportid, nasporttype,         acctstarttime,
 acctupdatetime, acctstoptime,           acctsessiontime,
acctauthentic, connectinfo_start,       connectinfo_stop,
acctinputoctets, acctoutputoctets,      calledstationid,
callingstationid, acctterminatecause,   servicetype,
 framedprotocol, framedipaddress) VALUES ('806090d1',
'7f054881202d112c62658b7b3b7c059e', 'D4-62-EA-42-E1-E2', '',
'192.168.1.67', 'hotspot', 'Wireless-802.11', FROM_UNIXTIME(1633633863),
FROM_UNIXTIME(1633633863), NULL, '0', '', '', '', '0', '0',
'6C:3B:6B:FA:1A:8F', 'D4:62:EA:42:E1:E2', '', '', '', '10.5.50.164')
(1) sql: Executing query: INSERT INTO radacct (acctsessionid,
acctuniqueid,           username, realm,            nasipaddress,
 nasportid, nasporttype,         acctstarttime,          acctupdatetime,
acctstoptime,           acctsessiontime,     acctauthentic,
connectinfo_start,       connectinfo_stop,       acctinputoctets,
acctoutputoctets,      calledstationid,     callingstationid,
acctterminatecause,   servicetype,            framedprotocol,
framedipaddress) VALUES ('806090d1', '7f054881202d112c62658b7b3b7c059e',
'D4-62-EA-42-E1-E2', '', '192.168.1.67', 'hotspot', 'Wireless-802.11',
FROM_UNIXTIME(1633633863), FROM_UNIXTIME(1633633863), NULL, '0', '', '',
'', '0', '0', '6C:3B:6B:FA:1A:8F', 'D4:62:EA:42:E1:E2', '', '', '',
'10.5.50.164')
(1) sql: SQL query returned: success
(1) sql: 1 record(s) updated
rlm_sql (sql): Released connection (12)
Need 2 more connections to reach min connections (3)
rlm_sql (sql): Opening additional connection (13), 1 of 127 pending slots
used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on
radiuscg.us-east-2.rds.amazonaws.com via TCP/IP, server version 5.7.33-log,
protocol version 10
(1)     [sql] = ok
(1)     [exec] = noop
(1) attr_filter.accounting_response: EXPAND %{User-Name}
(1) attr_filter.accounting_response:    --> D4-62-EA-42-E1-E2
(1) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(1)     [attr_filter.accounting_response] = updated
(1)   } # accounting = updated
(1) Sent Accounting-Response Id 60 from 172.31.36.39:1813 to
201.113.6.173:5630 length 0
(1) Finished request
(1) Cleaning up request packet ID 60 with timestamp +575
Ready to process requests


More information about the Freeradius-Users mailing list