Fwd: ERROR: pap : Cleartext password does not match "known good" password
I don't understand what is happening to the password as I can see it correctly in the access request. I also would have expected to see the password on this line just before the error: (0) Auth-Type PAP { (0) pap : Login attempt with password [SHOULDN'T THE PASSWORD BE HERE??? IT IS NOT] Here is the full output (minus the IP addresses): Received Access-Request Id 8 from X:18852 to X:1812 length 107 User-Name = '20c9d081bcc3' User-Password = '20c9d081bcc3' NAS-Identifier = '58-B6-33-1A-7D-20' NAS-IP-Address = X Service-Type = Login-User NAS-Port-Type = Wireless-802.11 Message-Authenticator = 0xafa4b69194ca031fd61fa4c300b0198c (0) Received Access-Request packet from host X port 18852, id=8, length=107 (0) User-Name = '20c9d081bcc3' (0) User-Password = '20c9d081bcc3' (0) NAS-Identifier = '58-B6-33-1A-7D-20' (0) NAS-IP-Address = X (0) Service-Type = Login-User (0) NAS-Port-Type = Wireless-802.11 (0) Message-Authenticator = 0xafa4b69194ca031fd61fa4c300b0198c (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) if (!&User-Name) (0) if (!&User-Name) -> FALSE (0) if (&User-Name =~ / /) (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@.*@/ ) (0) if (&User-Name =~ /@.*@/ ) -> FALSE (0) if (&User-Name =~ /\\.\\./ ) (0) if (&User-Name =~ /\\.\\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\\.$/) (0) if (&User-Name =~ /\\.$/) -> FALSE (0) if (&User-Name =~ /@\\./) (0) if (&User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) sql : EXPAND %{User-Name} (0) sql : --> 20c9d081bcc3 (0) sql : SQL-User-Name set to '20c9d081bcc3' rlm_sql (sql): Reserved connection (4) (0) sql : EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql : --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '20c9d081bcc3' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radcheck WHERE username = '20c9d081bcc3' ORDER BY id' (0) sql : User found in radcheck table (0) sql : Check items matched (0) sql : EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql : --> SELECT id, username, attribute, value, op FROM radreply WHERE username = '20c9d081bcc3' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radreply WHERE username = '20c9d081bcc3' ORDER BY id' (0) sql : User found in radreply table (0) sql : EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (0) sql : --> SELECT groupname FROM radusergroup WHERE username = '20c9d081bcc3' ORDER BY priority rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE username = '20c9d081bcc3' ORDER BY priority' (0) sql : User not found in any groups rlm_sql (sql): Released connection (4) (0) [sql] = ok (0) if (notfound) (0) if (notfound) -> FALSE (0) expiration : Account will expire at 'May 12 2016 13:00:00 UTC' (0) [expiration] = ok (0) if (userlock) (0) if (userlock) -> FALSE (0) [logintime] = noop (0) [pap] = updated (0) } # authorize = updated (0) Found Auth-Type = PAP (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Auth-Type PAP { (0) pap : Login attempt with password *(0) ERROR: pap : Cleartext password does not match "known good" password* (0) pap : Passwords don't match (0) [pap] = reject (0) } # Auth-Type PAP = reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject : EXPAND %{User-Name} (0) attr_filter.access_reject : --> 20c9d081bcc3 (0) attr_filter.access_reject : Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response Waking up in 3.9 seconds. (0) Cleaning up request packet ID 8 with timestamp +6 of note: records in the mysql radcheck table related to the user | 54 | 20C9D081BCC3 | Expiration | := | 12 May 2016 13:00 | | 55 | 20C9D081BCC3 | Cleartext-Password | := | 20C9D081BCC3 | | 56 | 20C9D081BCC3 | Site-Id | := | LAB |
On 11 May 2016, at 06:42, orion doty <orion.doty@gmail.com> wrote:
I don't understand what is happening to the password as I can see it correctly in the access request. I also would have expected to see the password on this line just before the error:
(0) Auth-Type PAP {
(0) pap : Login attempt with password [SHOULDN'T THE PASSWORD BE HERE??? IT IS NOT]
NO IT SHOULD NOT BE THERE. if (RDEBUG_ENABLED3) { RDEBUG3("Login attempt with password \"%s\" (%zd)", request->password->vp_strvalue, request->password->vp_length); } else { RDEBUG("Login attempt with password"); } Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
User-Password = '20c9d081bcc3' [...] | 55 | 20C9D081BCC3 | Cleartext-Password | := | 20C9D081BCC3 |
they do not match... On Wed, May 11, 2016 at 12:42 PM, orion doty <orion.doty@gmail.com> wrote:
I don't understand what is happening to the password as I can see it correctly in the access request. I also would have expected to see the password on this line just before the error:
(0) Auth-Type PAP {
(0) pap : Login attempt with password [SHOULDN'T THE PASSWORD BE HERE??? IT IS NOT]
Here is the full output (minus the IP addresses):
Received Access-Request Id 8 from X:18852 to X:1812 length 107
User-Name = '20c9d081bcc3'
User-Password = '20c9d081bcc3'
NAS-Identifier = '58-B6-33-1A-7D-20'
NAS-IP-Address = X
Service-Type = Login-User
NAS-Port-Type = Wireless-802.11
Message-Authenticator = 0xafa4b69194ca031fd61fa4c300b0198c
(0) Received Access-Request packet from host X port 18852, id=8, length=107
(0) User-Name = '20c9d081bcc3'
(0) User-Password = '20c9d081bcc3'
(0) NAS-Identifier = '58-B6-33-1A-7D-20'
(0) NAS-IP-Address = X
(0) Service-Type = Login-User
(0) NAS-Port-Type = Wireless-802.11
(0) Message-Authenticator = 0xafa4b69194ca031fd61fa4c300b0198c
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) filter_username filter_username {
(0) if (!&User-Name)
(0) if (!&User-Name) -> FALSE
(0) if (&User-Name =~ / /)
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@.*@/ )
(0) if (&User-Name =~ /@.*@/ ) -> FALSE
(0) if (&User-Name =~ /\\.\\./ )
(0) if (&User-Name =~ /\\.\\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\\.$/)
(0) if (&User-Name =~ /\\.$/) -> FALSE
(0) if (&User-Name =~ /@\\./)
(0) if (&User-Name =~ /@\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) sql : EXPAND %{User-Name}
(0) sql : --> 20c9d081bcc3
(0) sql : SQL-User-Name set to '20c9d081bcc3'
rlm_sql (sql): Reserved connection (4)
(0) sql : EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql : --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '20c9d081bcc3' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radcheck WHERE username = '20c9d081bcc3' ORDER BY id'
(0) sql : User found in radcheck table
(0) sql : Check items matched
(0) sql : EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql : --> SELECT id, username, attribute, value, op FROM radreply WHERE username = '20c9d081bcc3' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radreply WHERE username = '20c9d081bcc3' ORDER BY id'
(0) sql : User found in radreply table
(0) sql : EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql : --> SELECT groupname FROM radusergroup WHERE username = '20c9d081bcc3' ORDER BY priority
rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE username = '20c9d081bcc3' ORDER BY priority'
(0) sql : User not found in any groups
rlm_sql (sql): Released connection (4)
(0) [sql] = ok
(0) if (notfound)
(0) if (notfound) -> FALSE
(0) expiration : Account will expire at 'May 12 2016 13:00:00 UTC'
(0) [expiration] = ok
(0) if (userlock)
(0) if (userlock) -> FALSE
(0) [logintime] = noop
(0) [pap] = updated
(0) } # authorize = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Auth-Type PAP {
(0) pap : Login attempt with password
*(0) ERROR: pap : Cleartext password does not match "known good" password*
(0) pap : Passwords don't match
(0) [pap] = reject
(0) } # Auth-Type PAP = reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject : EXPAND %{User-Name}
(0) attr_filter.access_reject : --> 20c9d081bcc3
(0) attr_filter.access_reject : Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 8 with timestamp +6
of note: records in the mysql radcheck table related to the user
| 54 | 20C9D081BCC3 | Expiration | := | 12 May 2016 13:00 |
| 55 | 20C9D081BCC3 | Cleartext-Password | := | 20C9D081BCC3 |
| 56 | 20C9D081BCC3 | Site-Id | := | LAB | - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- "Madness, like small fish, runs in hosts, in vast numbers of instances." Nessuno mi pettina bene come il vento.
Wow, late night, glad some of our brains are still functioning, thanks! On Wed, May 11, 2016 at 4:53 AM, aquilinux <aquilinux@gmail.com> wrote:
User-Password = '20c9d081bcc3' [...] | 55 | 20C9D081BCC3 | Cleartext-Password | := | 20C9D081BCC3 |
they do not match...
On Wed, May 11, 2016 at 12:42 PM, orion doty <orion.doty@gmail.com> wrote:
I don't understand what is happening to the password as I can see it correctly in the access request. I also would have expected to see the password on this line just before the error:
(0) Auth-Type PAP {
(0) pap : Login attempt with password [SHOULDN'T THE PASSWORD BE HERE??? IT IS NOT]
Here is the full output (minus the IP addresses):
Received Access-Request Id 8 from X:18852 to X:1812 length 107
User-Name = '20c9d081bcc3'
User-Password = '20c9d081bcc3'
NAS-Identifier = '58-B6-33-1A-7D-20'
NAS-IP-Address = X
Service-Type = Login-User
NAS-Port-Type = Wireless-802.11
Message-Authenticator = 0xafa4b69194ca031fd61fa4c300b0198c
(0) Received Access-Request packet from host X port 18852, id=8, length=107
(0) User-Name = '20c9d081bcc3'
(0) User-Password = '20c9d081bcc3'
(0) NAS-Identifier = '58-B6-33-1A-7D-20'
(0) NAS-IP-Address = X
(0) Service-Type = Login-User
(0) NAS-Port-Type = Wireless-802.11
(0) Message-Authenticator = 0xafa4b69194ca031fd61fa4c300b0198c
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) filter_username filter_username {
(0) if (!&User-Name)
(0) if (!&User-Name) -> FALSE
(0) if (&User-Name =~ / /)
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@.*@/ )
(0) if (&User-Name =~ /@.*@/ ) -> FALSE
(0) if (&User-Name =~ /\\.\\./ )
(0) if (&User-Name =~ /\\.\\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\\.$/)
(0) if (&User-Name =~ /\\.$/) -> FALSE
(0) if (&User-Name =~ /@\\./)
(0) if (&User-Name =~ /@\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) sql : EXPAND %{User-Name}
(0) sql : --> 20c9d081bcc3
(0) sql : SQL-User-Name set to '20c9d081bcc3'
rlm_sql (sql): Reserved connection (4)
(0) sql : EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql : --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '20c9d081bcc3' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radcheck WHERE username = '20c9d081bcc3' ORDER BY id'
(0) sql : User found in radcheck table
(0) sql : Check items matched
(0) sql : EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql : --> SELECT id, username, attribute, value, op FROM radreply WHERE username = '20c9d081bcc3' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radreply WHERE username = '20c9d081bcc3' ORDER BY id'
(0) sql : User found in radreply table
(0) sql : EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql : --> SELECT groupname FROM radusergroup WHERE username = '20c9d081bcc3' ORDER BY priority
rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE username = '20c9d081bcc3' ORDER BY priority'
(0) sql : User not found in any groups
rlm_sql (sql): Released connection (4)
(0) [sql] = ok
(0) if (notfound)
(0) if (notfound) -> FALSE
(0) expiration : Account will expire at 'May 12 2016 13:00:00 UTC'
(0) [expiration] = ok
(0) if (userlock)
(0) if (userlock) -> FALSE
(0) [logintime] = noop
(0) [pap] = updated
(0) } # authorize = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Auth-Type PAP {
(0) pap : Login attempt with password
*(0) ERROR: pap : Cleartext password does not match "known good" password*
(0) pap : Passwords don't match
(0) [pap] = reject
(0) } # Auth-Type PAP = reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject : EXPAND %{User-Name}
(0) attr_filter.access_reject : --> 20c9d081bcc3
(0) attr_filter.access_reject : Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 8 with timestamp +6
of note: records in the mysql radcheck table related to the user
| 54 | 20C9D081BCC3 | Expiration | := | 12 May 2016 13:00 |
| 55 | 20C9D081BCC3 | Cleartext-Password | := | 20C9D081BCC3 |
| 56 | 20C9D081BCC3 | Site-Id | := | LAB | - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- "Madness, like small fish, runs in hosts, in vast numbers of instances."
Nessuno mi pettina bene come il vento. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
aquilinux -
Arran Cudbard-Bell -
orion doty