"0x" in front of Clear-text password
Hello, We have Freeradius 3 running successfully - we updated from Freeradius 2 a couple months ago. We encountered a problem with NAS running Coovachilli for captive portal authentication which was working before. Even if the uamsecret is not set SQL logs the radcheck attempt with the correct password but with a leading "0x" - it seems it is rejecting the access request due to that 0x being in front. Is there a way to modify freeradius to strip that "0x" so that we can get successful authentication or maybe force taking CHAP-Password parameter as User-Password? Please let me know if I should ask differently or include some more information. Here is the debug file: Ready to process requests (0) Received Access-Request Id 60 from 187.168.34.159:48641 to 172.31.36.39:1812 length 162 (0) User-Name = "06-CC-C6-1E-6B-09" (0) CHAP-Password = 0x7c2e341f7fa12820b2605223bac6c307 (0) CHAP-Challenge = 0x047808cb6d147b8d77d3116a0cfa6498 (0) Calling-Station-Id = "06-CC-C6-1E-6B-09" (0) Called-Station-Id = "00-1A-DD-7A-E1-80" (0) Service-Type = Login-User (0) NAS-Port-Type = Wireless-802.11 (0) NAS-Identifier = "myNas" (0) Acct-Session-Id = "615f44bb00000000" (0) NAS-Port = 0 (0) NAS-IP-Address = 192.168.101.166 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "06-CC-C6-1E-6B-09", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) sql: EXPAND %{User-Name} (0) sql: --> 06-CC-C6-1E-6B-09 (0) sql: SQL-User-Name set to '06-CC-C6-1E-6B-09' rlm_sql (sql): Closing connection (0): Hit idle_timeout, was idle for 78 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 78 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 78 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for 78 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (4): Hit idle_timeout, was idle for 78 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (5): Hit idle_timeout, was idle for 78 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (6): Hit idle_timeout, was idle for 78 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (7): Hit idle_timeout, was idle for 78 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (8): Hit idle_timeout, was idle for 78 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (9): Hit idle_timeout, was idle for 78 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare" rlm_sql (sql): Opening additional connection (10), 1 of 128 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on radiuscg.us-east-2.rds.amazonaws.com via TCP/IP, server version 5.7.33-log, protocol version 10 rlm_sql (sql): Reserved connection (10) (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '06-CC-C6-1E-6B-09' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '06-CC-C6-1E-6B-09' ORDER BY id (0) sql: User found in radcheck table (0) sql: Conditional check items matched, merging assignment check items (0) sql: Cleartext-Password := "7c2e341f7fa12820b2605223bac6c307" (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = '06-CC-C6-1E-6B-09' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '06-CC-C6-1E-6B-09' ORDER BY id (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (0) sql: --> SELECT groupname FROM radusergroup WHERE username = '06-CC-C6-1E-6B-09' ORDER BY priority (0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = '06-CC-C6-1E-6B-09' ORDER BY priority (0) sql: User not found in any groups rlm_sql (sql): Released connection (10) Need 2 more connections to reach min connections (3) rlm_sql (sql): Opening additional connection (11), 1 of 127 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on radiuscg.us-east-2.rds.amazonaws.com via TCP/IP, server version 5.7.33-log, protocol version 10 (0) [sql] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: No User-Password attribute in the request. Cannot do PAP (0) [pap] = noop (0) } # authorize = ok (0) WARNING: Please update your configuration, and remove 'Auth-Type = Local' (0) WARNING: Use the PAP or CHAP modules instead (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) sql: EXPAND .query (0) sql: --> .query (0) sql: Using query template 'query' rlm_sql (sql): Reserved connection (10) (0) sql: EXPAND %{User-Name} (0) sql: --> 06-CC-C6-1E-6B-09 (0) sql: SQL-User-Name set to '06-CC-C6-1E-6B-09' (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '06-CC-C6-1E-6B-09', '0x7c2e341f7fa12820b2605223bac6c307', 'Access-Reject', '2021-10-07 19:04:27.702763') (0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '06-CC-C6-1E-6B-09', '0x7c2e341f7fa12820b2605223bac6c307', 'Access-Reject', '2021-10-07 19:04:27.702763') (0) sql: SQL query returned: success (0) sql: 1 record(s) updated rlm_sql (sql): Released connection (10) (0) [sql] = ok (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> 06-CC-C6-1E-6B-09 (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.2 seconds. Waking up in 0.7 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 60 from 172.31.36.39:1812 to 187.168.34.159:48641 length 20 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 60 with timestamp +78 Ready to process requests (1) Received Accounting-Request Id 60 from 201.113.6.173:5630 to 172.31.36.39:1813 length 169 (1) Acct-Status-Type = Start (1) NAS-Port-Type = Wireless-802.11 (1) Calling-Station-Id = "D4:62:EA:42:E1:E2" (1) Called-Station-Id = "6C:3B:6B:FA:1A:8F" (1) NAS-Port-Id = "hotspot" (1) User-Name = "D4-62-EA-42-E1-E2" (1) NAS-Port = 2153812177 (1) Acct-Session-Id = "806090d1" (1) Framed-IP-Address = 10.5.50.164 (1) Mikrotik-Host-IP = 10.5.50.164 (1) Event-Timestamp = "Oct 7 2021 19:11:03 UTC" (1) NAS-Identifier = "6C:3B:6B:FA:1A:8F" (1) Acct-Delay-Time = 0 (1) NAS-IP-Address = 192.168.1.67 (1) # Executing section preacct from file /etc/raddb/sites-enabled/default (1) preacct { (1) [preprocess] = ok (1) policy acct_unique { (1) update request { (1) &Tmp-String-9 := "ai:" (1) } # update request = noop (1) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) { (1) EXPAND %{hex:&Class} (1) --> (1) EXPAND ^%{hex:&Tmp-String-9} (1) --> ^61693a (1) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE (1) else { (1) update request { (1) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (1) --> 7f054881202d112c62658b7b3b7c059e (1) &Acct-Unique-Session-Id := 7f054881202d112c62658b7b3b7c059e (1) } # update request = noop (1) } # else = noop (1) } # policy acct_unique = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "D4-62-EA-42-E1-E2", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) [files] = noop (1) } # preacct = ok (1) # Executing section accounting from file /etc/raddb/sites-enabled/default (1) accounting { (1) detail: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d (1) detail: --> /var/log/radius/radacct/201.113.6.173/detail-20211007 (1) detail: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/201.113.6.173/detail-20211007 (1) detail: EXPAND %t (1) detail: --> Thu Oct 7 19:12:44 2021 (1) [detail] = ok (1) [unix] = ok (1) sql: EXPAND %{tolower:type.%{Acct-Status-Type}.query} (1) sql: --> type.start.query (1) sql: Using query template 'query' rlm_sql (sql): Closing connection (11): Hit idle_timeout, was idle for 497 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (10): Hit idle_timeout, was idle for 497 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare" rlm_sql (sql): Opening additional connection (12), 1 of 128 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on radiuscg.us-east-2.rds.amazonaws.com via TCP/IP, server version 5.7.33-log, protocol version 10 rlm_sql (sql): Reserved connection (12) (1) sql: EXPAND %{User-Name} (1) sql: --> D4-62-EA-42-E1-E2 (1) sql: SQL-User-Name set to 'D4-62-EA-42-E1-E2' (1) sql: EXPAND INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}') (1) sql: --> INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('806090d1', '7f054881202d112c62658b7b3b7c059e', 'D4-62-EA-42-E1-E2', '', '192.168.1.67', 'hotspot', 'Wireless-802.11', FROM_UNIXTIME(1633633863), FROM_UNIXTIME(1633633863), NULL, '0', '', '', '', '0', '0', '6C:3B:6B:FA:1A:8F', 'D4:62:EA:42:E1:E2', '', '', '', '10.5.50.164') (1) sql: Executing query: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('806090d1', '7f054881202d112c62658b7b3b7c059e', 'D4-62-EA-42-E1-E2', '', '192.168.1.67', 'hotspot', 'Wireless-802.11', FROM_UNIXTIME(1633633863), FROM_UNIXTIME(1633633863), NULL, '0', '', '', '', '0', '0', '6C:3B:6B:FA:1A:8F', 'D4:62:EA:42:E1:E2', '', '', '', '10.5.50.164') (1) sql: SQL query returned: success (1) sql: 1 record(s) updated rlm_sql (sql): Released connection (12) Need 2 more connections to reach min connections (3) rlm_sql (sql): Opening additional connection (13), 1 of 127 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on radiuscg.us-east-2.rds.amazonaws.com via TCP/IP, server version 5.7.33-log, protocol version 10 (1) [sql] = ok (1) [exec] = noop (1) attr_filter.accounting_response: EXPAND %{User-Name} (1) attr_filter.accounting_response: --> D4-62-EA-42-E1-E2 (1) attr_filter.accounting_response: Matched entry DEFAULT at line 12 (1) [attr_filter.accounting_response] = updated (1) } # accounting = updated (1) Sent Accounting-Response Id 60 from 172.31.36.39:1813 to 201.113.6.173:5630 length 0 (1) Finished request (1) Cleaning up request packet ID 60 with timestamp +575 Ready to process requests
On Oct 7, 2021, at 8:40 PM, Eric Aguilar <agueric@gmail.com> wrote:
We have Freeradius 3 running successfully - we updated from Freeradius 2 a couple months ago.
That's good. It shows the stability of v2, I guess.
We encountered a problem with NAS running Coovachilli for captive portal authentication which was working before. Even if the uamsecret is not set SQL logs the radcheck attempt with the correct password but with a leading "0x" - it seems it is rejecting the access request due to that 0x being in front.
I think something else is going on.
Is there a way to modify freeradius to strip that "0x" so that we can get successful authentication or maybe force taking CHAP-Password parameter as User-Password?
I think that's the wrong question. Let's see.
Please let me know if I should ask differently or include some more information.
Here is the debug file:
Ready to process requests (0) Received Access-Request Id 60 from 187.168.34.159:48641 to 172.31.36.39:1812 length 162 (0) User-Name = "06-CC-C6-1E-6B-09" (0) CHAP-Password = 0x7c2e341f7fa12820b2605223bac6c307 (0) CHAP-Challenge = 0x047808cb6d147b8d77d3116a0cfa6498
Here, the CHAP-Password is pretty much MD5(Cleartext-Password + CHAP-Challenge) i.e. if you have the *real* password, then the server can calculate CHAP-Password from that, and from the CHAP-Challenge. It then compares the CHAP-Password it calculated to the one which it sees in the packet. If they're the same, then the password entered by the user is correct. If they're different, then the password entered by the user is wrong.
rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on radiuscg.us-east-2.rds.amazonaws.com via TCP/IP, server version 5.7.33-log, protocol version 10
You should really use TLS and/or IPSec for tht. But whatever.
(0) sql: Conditional check items matched, merging assignment check items (0) sql: Cleartext-Password := "7c2e341f7fa12820b2605223bac6c307"
Uh... that's not right. Sure, it's what you put in the database. But why does the Cleartext-Password have exactly the same hex string as the CHAP-Password? That should never happen. i.e. it only happens if you're reading the packets in debug mode, and assuming that CHAP-Password is actually what the user entered, and then adding that magic hex string to the database. Don't do that. It's extremely wrong.
(0) pap: No User-Password attribute in the request. Cannot do PAP
That's pretty clear. Note also that it's not running the "chap" module, which is in the default configuration. So you've edited the configuration to say "don't do CHAP", and then sent the server a packet which contains CHAP. That won't work. Go back and re-enable the "chap" module. See the default configuration for where it should go in the "authorize" and "authenticate" sections. Then put the REAL Cleartext-Password into the SQL database. Don't put the random hex stuff from CHAP-Password. That value will change on every packet. And perhaps you could explain a bit more about what you're trying to do. Why do you think it's necessary to delete "chap" from sites-enabled/default? And why put the hex string from CHAP-Password into the database as Cleartext-Password? What is your end goal here? If you're trying to authenticate users, just put the real password in the database. If you're trying to do something else, then explain that. Alan DeKok.
participants (2)
-
Alan DeKok -
Eric Aguilar