Hello, We have Freeradius 3 running successfully - we updated from Freeradius 2 a couple months ago. We encountered a problem with NAS running Coovachilli for captive portal authentication which was working before. Even if the uamsecret is not set SQL logs the radcheck attempt with the correct password but with a leading "0x" - it seems it is rejecting the access request due to that 0x being in front. Is there a way to modify freeradius to strip that "0x" so that we can get successful authentication or maybe force taking CHAP-Password parameter as User-Password? Please let me know if I should ask differently or include some more information. Here is the debug file: Ready to process requests (0) Received Access-Request Id 60 from 187.168.34.159:48641 to 172.31.36.39:1812 length 162 (0) User-Name = "06-CC-C6-1E-6B-09" (0) CHAP-Password = 0x7c2e341f7fa12820b2605223bac6c307 (0) CHAP-Challenge = 0x047808cb6d147b8d77d3116a0cfa6498 (0) Calling-Station-Id = "06-CC-C6-1E-6B-09" (0) Called-Station-Id = "00-1A-DD-7A-E1-80" (0) Service-Type = Login-User (0) NAS-Port-Type = Wireless-802.11 (0) NAS-Identifier = "myNas" (0) Acct-Session-Id = "615f44bb00000000" (0) NAS-Port = 0 (0) NAS-IP-Address = 192.168.101.166 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "06-CC-C6-1E-6B-09", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) sql: EXPAND %{User-Name} (0) sql: --> 06-CC-C6-1E-6B-09 (0) sql: SQL-User-Name set to '06-CC-C6-1E-6B-09' rlm_sql (sql): Closing connection (0): Hit idle_timeout, was idle for 78 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 78 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 78 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for 78 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (4): Hit idle_timeout, was idle for 78 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (5): Hit idle_timeout, was idle for 78 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (6): Hit idle_timeout, was idle for 78 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (7): Hit idle_timeout, was idle for 78 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (8): Hit idle_timeout, was idle for 78 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (9): Hit idle_timeout, was idle for 78 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare" rlm_sql (sql): Opening additional connection (10), 1 of 128 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on radiuscg.us-east-2.rds.amazonaws.com via TCP/IP, server version 5.7.33-log, protocol version 10 rlm_sql (sql): Reserved connection (10) (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '06-CC-C6-1E-6B-09' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '06-CC-C6-1E-6B-09' ORDER BY id (0) sql: User found in radcheck table (0) sql: Conditional check items matched, merging assignment check items (0) sql: Cleartext-Password := "7c2e341f7fa12820b2605223bac6c307" (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = '06-CC-C6-1E-6B-09' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '06-CC-C6-1E-6B-09' ORDER BY id (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (0) sql: --> SELECT groupname FROM radusergroup WHERE username = '06-CC-C6-1E-6B-09' ORDER BY priority (0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = '06-CC-C6-1E-6B-09' ORDER BY priority (0) sql: User not found in any groups rlm_sql (sql): Released connection (10) Need 2 more connections to reach min connections (3) rlm_sql (sql): Opening additional connection (11), 1 of 127 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on radiuscg.us-east-2.rds.amazonaws.com via TCP/IP, server version 5.7.33-log, protocol version 10 (0) [sql] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: No User-Password attribute in the request. Cannot do PAP (0) [pap] = noop (0) } # authorize = ok (0) WARNING: Please update your configuration, and remove 'Auth-Type = Local' (0) WARNING: Use the PAP or CHAP modules instead (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) sql: EXPAND .query (0) sql: --> .query (0) sql: Using query template 'query' rlm_sql (sql): Reserved connection (10) (0) sql: EXPAND %{User-Name} (0) sql: --> 06-CC-C6-1E-6B-09 (0) sql: SQL-User-Name set to '06-CC-C6-1E-6B-09' (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '06-CC-C6-1E-6B-09', '0x7c2e341f7fa12820b2605223bac6c307', 'Access-Reject', '2021-10-07 19:04:27.702763') (0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '06-CC-C6-1E-6B-09', '0x7c2e341f7fa12820b2605223bac6c307', 'Access-Reject', '2021-10-07 19:04:27.702763') (0) sql: SQL query returned: success (0) sql: 1 record(s) updated rlm_sql (sql): Released connection (10) (0) [sql] = ok (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> 06-CC-C6-1E-6B-09 (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.2 seconds. Waking up in 0.7 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 60 from 172.31.36.39:1812 to 187.168.34.159:48641 length 20 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 60 with timestamp +78 Ready to process requests (1) Received Accounting-Request Id 60 from 201.113.6.173:5630 to 172.31.36.39:1813 length 169 (1) Acct-Status-Type = Start (1) NAS-Port-Type = Wireless-802.11 (1) Calling-Station-Id = "D4:62:EA:42:E1:E2" (1) Called-Station-Id = "6C:3B:6B:FA:1A:8F" (1) NAS-Port-Id = "hotspot" (1) User-Name = "D4-62-EA-42-E1-E2" (1) NAS-Port = 2153812177 (1) Acct-Session-Id = "806090d1" (1) Framed-IP-Address = 10.5.50.164 (1) Mikrotik-Host-IP = 10.5.50.164 (1) Event-Timestamp = "Oct 7 2021 19:11:03 UTC" (1) NAS-Identifier = "6C:3B:6B:FA:1A:8F" (1) Acct-Delay-Time = 0 (1) NAS-IP-Address = 192.168.1.67 (1) # Executing section preacct from file /etc/raddb/sites-enabled/default (1) preacct { (1) [preprocess] = ok (1) policy acct_unique { (1) update request { (1) &Tmp-String-9 := "ai:" (1) } # update request = noop (1) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) { (1) EXPAND %{hex:&Class} (1) --> (1) EXPAND ^%{hex:&Tmp-String-9} (1) --> ^61693a (1) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE (1) else { (1) update request { (1) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (1) --> 7f054881202d112c62658b7b3b7c059e (1) &Acct-Unique-Session-Id := 7f054881202d112c62658b7b3b7c059e (1) } # update request = noop (1) } # else = noop (1) } # policy acct_unique = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "D4-62-EA-42-E1-E2", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) [files] = noop (1) } # preacct = ok (1) # Executing section accounting from file /etc/raddb/sites-enabled/default (1) accounting { (1) detail: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d (1) detail: --> /var/log/radius/radacct/201.113.6.173/detail-20211007 (1) detail: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/201.113.6.173/detail-20211007 (1) detail: EXPAND %t (1) detail: --> Thu Oct 7 19:12:44 2021 (1) [detail] = ok (1) [unix] = ok (1) sql: EXPAND %{tolower:type.%{Acct-Status-Type}.query} (1) sql: --> type.start.query (1) sql: Using query template 'query' rlm_sql (sql): Closing connection (11): Hit idle_timeout, was idle for 497 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (10): Hit idle_timeout, was idle for 497 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare" rlm_sql (sql): Opening additional connection (12), 1 of 128 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on radiuscg.us-east-2.rds.amazonaws.com via TCP/IP, server version 5.7.33-log, protocol version 10 rlm_sql (sql): Reserved connection (12) (1) sql: EXPAND %{User-Name} (1) sql: --> D4-62-EA-42-E1-E2 (1) sql: SQL-User-Name set to 'D4-62-EA-42-E1-E2' (1) sql: EXPAND INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}') (1) sql: --> INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('806090d1', '7f054881202d112c62658b7b3b7c059e', 'D4-62-EA-42-E1-E2', '', '192.168.1.67', 'hotspot', 'Wireless-802.11', FROM_UNIXTIME(1633633863), FROM_UNIXTIME(1633633863), NULL, '0', '', '', '', '0', '0', '6C:3B:6B:FA:1A:8F', 'D4:62:EA:42:E1:E2', '', '', '', '10.5.50.164') (1) sql: Executing query: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('806090d1', '7f054881202d112c62658b7b3b7c059e', 'D4-62-EA-42-E1-E2', '', '192.168.1.67', 'hotspot', 'Wireless-802.11', FROM_UNIXTIME(1633633863), FROM_UNIXTIME(1633633863), NULL, '0', '', '', '', '0', '0', '6C:3B:6B:FA:1A:8F', 'D4:62:EA:42:E1:E2', '', '', '', '10.5.50.164') (1) sql: SQL query returned: success (1) sql: 1 record(s) updated rlm_sql (sql): Released connection (12) Need 2 more connections to reach min connections (3) rlm_sql (sql): Opening additional connection (13), 1 of 127 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on radiuscg.us-east-2.rds.amazonaws.com via TCP/IP, server version 5.7.33-log, protocol version 10 (1) [sql] = ok (1) [exec] = noop (1) attr_filter.accounting_response: EXPAND %{User-Name} (1) attr_filter.accounting_response: --> D4-62-EA-42-E1-E2 (1) attr_filter.accounting_response: Matched entry DEFAULT at line 12 (1) [attr_filter.accounting_response] = updated (1) } # accounting = updated (1) Sent Accounting-Response Id 60 from 172.31.36.39:1813 to 201.113.6.173:5630 length 0 (1) Finished request (1) Cleaning up request packet ID 60 with timestamp +575 Ready to process requests