WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
Hello Everyone, I am new to FreeRADIUS world and got stuck at one point. My setup: - FreeRADIUS server o Users mentioned in ‘/usr/local/etc/raddb/mods-config/files/authorize’ § test Cleartext-Password := "welcome" o clients mentioned in ‘/usr/local/etc/raddb/clients.conf’ § client x.x.x.x{ § secret=test § } § Where, x.x.x.x is the IP address of RADIUS client machine - RADIUS client o RADIUS server is defined in ‘/etc/raddb/server’ § y.y.y.y test 2 § where, y.y.y.y is the IP address of RADIUS server *we have one application server where RADIUS client is already built and its working fine with newly configured RADIUS server. The issue is with RADIUS client that I have setup.* when trying to login to RADIUS client machine using user ‘test’, I am getting below error in debug logs: I have checked again and shared secret is same on NAS and RADIUS server. -------------------------------------------------------------------------------------------------------------------------------------- (1) Received Access-Request Id 33 from x.x.x.x:44896 to 10.222.34.65:1812 length 90 (1) User-Name = "test" (1) User-Password = "\010\n\r\177INCORRECT" (1) NAS-IP-Address = 10.222.34.227 (1) NAS-Identifier = "sshd" (1) NAS-Port = 3874 (1) NAS-Port-Type = Virtual (1) Service-Type = Authenticate-Only (1) Calling-Station-Id = "115.113.149.70" (1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "test", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: No EAP-Message, not doing EAP (1) [eap] = noop (1) files: users: Matched entry test at line 1 (1) [files] = ok (1) [expiration] = noop (1) [logintime] = noop (1) [pap] = updated (1) } # authorize = updated (1) Found Auth-Type = PAP (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) Auth-Type PAP { (1) pap: Login attempt with password (1) pap: Comparing with "known good" Cleartext-Password (1) pap: ERROR: Cleartext password "? ?INCORRECT" does not match "known good" password (1) pap: Passwords don't match (1) [pap] = reject (1) } # Auth-Type PAP = reject (1) Failed to authenticate the user (1) WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! (1) Using Post-Auth-Type Reject (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) Post-Auth-Type REJECT { (1) attr_filter.access_reject: EXPAND %{User-Name} (1) attr_filter.access_reject: --> test (1) attr_filter.access_reject: Matched entry DEFAULT at line 11 (1) [attr_filter.access_reject] = updated (1) [eap] = noop (1) policy remove_reply_message_if_eap { (1) if (&reply:EAP-Message && &reply:Reply-Message) { (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (1) else { (1) [noop] = noop (1) } # else = noop (1) } # policy remove_reply_message_if_eap = noop (1) } # Post-Auth-Type REJECT = updated (1) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (1) Sending delayed response (1) Sent Access-Reject Id 33 from 10.222.34.65:1812 to x.x.x.x:44896 length 20 Waking up in 3.9 seconds. (1) Cleaning up request packet ID 33 with timestamp +132 Ready to process requests *Regards,* *Narender Yadav*
On 29 Dec 2016, at 13:22, Narender Yadav <narender.yadav@mojonetworks.com> wrote:
(1) User-Password = "\010\n\r\177INCORRECT"
I'm making the assumption that you're trying to log into the NAS with U: "test" / P: "INCORRECT"), as you haven't mentioned it. If you're really certain that the shared secrets match, then your NAS is broken and appears to be prepending junk to the password. Specifically, "back space, line feed, carriage return, forward delete". The NAS either needs to be fixed, or you need to do some preprocessing with FreeRADIUS. If the junk is consistent, you can write a regex to ignore the first 4 bytes of the password. Regards, Adam Bishop gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460 jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
Thanks for the quick response Adam. Regarding password, it is always "\010\n\r\177INCORRECT ". I have tried with passwords i.e. 'abc123', 'welcome', 'test123'. On NAS side, I am using http://freeradius.org/pam_radius_auth/ and below is the /etc/pam.d/sshd file details: ------------------------------------------------------------------------------------------------------------- #%PAM-1.0 auth sufficient pam_radius_auth.so auth required pam_sepermit.so auth include password-auth account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session sufficient pam_radius_auth.so debug conf=/etc/raddb/server session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth ------------------------------------------------------------------------------------------------------------- Please let me know if you need any further details of NAS. Regards, Narender -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+narender.yadav=mojonetworks.com@lists.freeradius.org] On Behalf Of Adam Bishop Sent: Thursday, December 29, 2016 8:27 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! On 29 Dec 2016, at 13:22, Narender Yadav <narender.yadav@mojonetworks.com> wrote:
(1) User-Password = "\010\n\r\177INCORRECT"
I'm making the assumption that you're trying to log into the NAS with U: "test" / P: "INCORRECT"), as you haven't mentioned it. If you're really certain that the shared secrets match, then your NAS is broken and appears to be prepending junk to the password. Specifically, "back space, line feed, carriage return, forward delete". The NAS either needs to be fixed, or you need to do some preprocessing with FreeRADIUS. If the junk is consistent, you can write a regex to ignore the first 4 bytes of the password. Regards, Adam Bishop gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460 jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Dec 30, 2016, at 5:40 AM, Narender Yadav <narender.yadav@mojonetworks.com> wrote:
Regarding password, it is always "\010\n\r\177INCORRECT ". I have tried with passwords i.e. 'abc123', 'welcome', 'test123'.
You have a PAM module which is run before pam_radius_auth. That first module is checking the password locally, and when it's wrong, is setting the password to the "INCORRECT" string. Fix your PAM configuration so that it only does RADIUS password checking. i.e. this is a PAM problem. Nothing you do to FreeRADIUS will fix a PAM problem. Alan DeKok.
participants (3)
-
Adam Bishop -
Alan DeKok -
Narender Yadav