Backslash in AD Password
Hello, is it possible to see what password a module is forwarding to an application? I have the problem that I run freeradius with an external OTP Software (LinOTP) via a rlm_perl module. When I try to authenticate from a Cisco ASA with Anyconnect the authentication fails if there is a backslash in the username. If I try to authenticate directly agauinst the OTP Software it works with the backslash. In the radius -X log is see the password with escaped backslash: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = ok Found Auth-Type = perl # Executing group from file /etc/freeradius/sites-enabled/linotp +group authenticate { rlm_perl: Config File /etc/linotp2/rlm_perl.ini found! rlm_perl: Default URL https://linotpserver/validate/simplecheck rlm_perl: RAD_REQUEST: Called-Station-Id = y.y.y.y rlm_perl: RAD_REQUEST: Vendor-3076-Attr-146 = 0x4d55435f48515f53706c6974496e7465726e65745f324641 rlm_perl: RAD_REQUEST: Cisco-AVPair = ARRAY(0x1607ff0) rlm_perl: RAD_REQUEST: NAS-IP-Address = z.z.z.z rlm_perl: RAD_REQUEST: Vendor-3076-Attr-150 = 0x00000002 rlm_perl: RAD_REQUEST: Tunnel-Client-Endpoint = x.x.x.x rlm_perl: RAD_REQUEST: Calling-Station-Id = x.x.x.x rlm_perl: RAD_REQUEST: User-Name = test-vpn rlm_perl: RAD_REQUEST: NAS-Port-Type = Virtual rlm_perl: RAD_REQUEST: User-Password = 123456a\\932684 rlm_perl: RAD_REQUEST: NAS-Port = 19587072 rlm_perl: Auth-Type: perl rlm_perl: Url: https://172.28.8.190/validate/simplecheck rlm_perl: User: test-vpn rlm_perl: urlparam pass = 123456a\\932684 rlm_perl: urlparam realm = check24 rlm_perl: urlparam client = a.a.a.a.a rlm_perl: urlparam user = test-vpn rlm_perl: Content :-( rlm_perl: return RLM_MODULE_REJECT rlm_perl: Added pair Called-Station-Id = y.y.y.y. rlm_perl: Added pair Vendor-3076-Attr-146 = 0x4d55435f48515f53706c6974496e7465726e65745f324641 rlm_perl: Added pair Cisco-AVPair = mdm-tlv=device-platform=android rlm_perl: Added pair Cisco-AVPair = mdm-tlv=device-type=Xiaomi Mi A1 rlm_perl: Added pair Cisco-AVPair = mdm-tlv=device-mac=f4-f5-db-ea-66-e9 rlm_perl: Added pair Cisco-AVPair = mdm-tlv=device-platform-version=8.0.0 rlm_perl: Added pair Cisco-AVPair = mdm-tlv=device-phone-id=GSM:865181033404965 rlm_perl: Added pair Cisco-AVPair = mdm-tlv=ac-user-agent=AnyConnect Android 4.6.00143 rlm_perl: Added pair Cisco-AVPair = mdm-tlv=device-uid=48FE3052979F54499178B9B0CB4F940BFB462365F18920AA5D715718BCAF15E9 rlm_perl: Added pair Cisco-AVPair = audit-session-id=c0a80101012ae0005b4769b5 rlm_perl: Added pair Cisco-AVPair = ip:source-ip=x.x.x.x rlm_perl: Added pair Cisco-AVPair = coa-push=true rlm_perl: Added pair NAS-IP-Address = z.z.z.z. rlm_perl: Added pair Vendor-3076-Attr-150 = 0x00000002 rlm_perl: Added pair Tunnel-Client-Endpoint = x.x.x.x rlm_perl: Added pair Calling-Station-Id = x.x.x.x rlm_perl: Added pair User-Name = test-vpn rlm_perl: Added pair NAS-Port-Type = Virtual rlm_perl: Added pair User-Password = 123456a\\932684 rlm_perl: Added pair NAS-Port = 19587072 rlm_perl: Added pair Reply-Message = LinOTP server denied access! rlm_perl: Added pair Auth-Type = perl ++[perl] = reject +} # group authenticate = reject Failed to authenticate the user. Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.7 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 142 to z.z.z.z. port 54015 Reply-Message = "LinOTP server denied access!" Waking up in 4.9 seconds. Cleaning up request 0 ID 142 with timestamp +46 Ready to process requests. rlm_perl: Added pair User-Name = test-vpn rlm_perl: Added pair NAS-Port-Type = Virtual rlm_perl: Added pair User-Password = 123456a\\932684 rlm_perl: Added pair NAS-Port = 19587072 rlm_perl: Added pair Reply-Message = LinOTP server denied access! rlm_perl: Added pair Auth-Type = perl ++[perl] = reject +} # group authenticate = reject Failed to authenticate the user. Is there a way to see if freeradius sends the password with 2 backslashes? Bernhard Knoll
On Jul 12, 2018, at 10:58 AM, Bernhard Knoll <Bernhard.Knoll@check24.de> wrote:
is it possible to see what password a module is forwarding to an application?
The debug output you posted to the list shows this.
I have the problem that I run freeradius with an external OTP Software (LinOTP) via a rlm_perl module.
When I try to authenticate from a Cisco ASA with Anyconnect the authentication fails if there is a backslash in the username. If I try to authenticate directly agauinst the OTP Software it works with the backslash. In the radius -X log is see the password with escaped backslash:
Yes... that's how it works. Special characters are escaped. With backslashes.
Is there a way to see if freeradius sends the password with 2 backslashes?
The debug output? Or, you can edit the Perl function to print out each individual character in the password. Alan DeKok.
So the otp app has to account for this or is a workaround possible in freeradius? Best regards -----Ursprüngliche Nachricht----- Von: Freeradius-Users [mailto:freeradius-users-bounces+bernhard.knoll=check24.de@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Donnerstag, 12. Juli 2018 17:03 An: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Betreff: Re: Backslash in AD Password On Jul 12, 2018, at 10:58 AM, Bernhard Knoll <Bernhard.Knoll@check24.de> wrote:
is it possible to see what password a module is forwarding to an application?
The debug output you posted to the list shows this.
I have the problem that I run freeradius with an external OTP Software (LinOTP) via a rlm_perl module.
When I try to authenticate from a Cisco ASA with Anyconnect the authentication fails if there is a backslash in the username. If I try to authenticate directly agauinst the OTP Software it works with the backslash. In the radius -X log is see the password with escaped backslash:
Yes... that's how it works. Special characters are escaped. With backslashes.
Is there a way to see if freeradius sends the password with 2 backslashes?
The debug output? Or, you can edit the Perl function to print out each individual character in the password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Bernhard Knoll