On Oct 14, 2019, at 11:16 AM, Wirth, Oliver <O.Wirth@gsi.de> wrote:
We are using freeradius for EDUROAM authentication with an oracle-ldap as password store. Actually we are using still radius version 2, but we now install a new radius version 3.
That's good.
We found the following different behavior between version 2 and version3 which make our authentication fail:
freeradius receives user password from oracle-ldap in the following form: (1) ldap: control:Password-With-Header += '{X- ORCLIFSMD5}***' (1) ldap: control:Password-With-Header += '{X- ORCLWEBDAV}***'
Yeah, those are non-standard and not really well documented.
(1) ldap: control:Password-With-Header += '{MD5}***' (1) ldap: control:Password-With-Header += '{X- ORCLLMV}***' (1) ldap: control:Password-With-Header += '{X- ORCLNTV}***'
The first two Headers are unknown to radius, that's why our Freeradius 2.2.5 is going to the next Password-with-Header until it finds a usable one and then can authenticate the user successfully:
OK.
BUT our new installed Freeradius 3.0.12
Why? 3.0.19 has been out for months. Please use that. Packages are available at http://packages.networkradius.com
is no longer skipping unknown hashes, instead tries to re-write the first one to cleartext and ignores the other hashes. Of course the authentication fails:
(1) pap: Unknown header {{X- ORCLIFSMD5}} in Password-With-Header, re-writing to Cleartext-Password (1) pap: Removing &control:Password-With-Header (1) pap: WARNING: Config already contains a "known good" password (&control:Cleartext-Password). Ignoring &config:Password-With-Header (1) pap: WARNING: Config already contains a "known good" password (&control:Cleartext-Password). Ignoring &config:Password-With-Header (1) pap: WARNING: Config already contains a "known good" password (&control:Cleartext-Password). Ignoring &config:Password-With-Header (1) pap: WARNING: Config already contains a "known good" password (&control:Cleartext-Password). Ignoring &config:Password-With-Header
Is there a reason for this change version 3?
Testing with real-world users. There are people with {} in their passwords.
Or are we doing something wrong or is it possible to tell freeradius 3 to ignore unknown password hashes?
Hmm.. you can't really change that behaviour. It may be worth adding a list of headers to ignore. Which passwords are the ones being used? The {X- ORCLNTV} one? In which case you might be able to just grab that one. if (control:Password-with-Header =~ /^({X- ORCLNTV}.*)$/) { update control { Tmp-String-0 := "%{1}" Password-With-Header !* ANY } update control { Password-With-Header := &control:Tmp-String-0 } } pap I think that should work. Alan DeKok.