MySQL DB and /n in Cisco-AVPair problem
Hi everyone, we are attempting to migrate a system from FreeRadius 1.x to 3.x and we have an issue with our Cisco network devices. Basically authentication fails. Stepping back a bit and doing some testing with NTRadPing everything looks ok, except for one small detail. With both the 1.x and 3.x systems we get "response: Access-Accept" and a load of details such as Service-Type, Tunnel-Password etc. However I see differences for non printing characters such as "/n". So for the Cisco-AVPair in the output in NTRadPing I see on 1.x: lcp:interface-config=ip unnumbered loopback 2003\n But on 3.x I see: lcp:interface-config=ip unnumbered loopback 2003\0x0a The output from 1.x is exactly how the data is entered and displays direct in MySQL. I've tried double escaping the "\" but it doesn't make any difference. I see that 0x0a is the ASCII encoding for \n, has something changed in FreeRadius WRT this? Or perhaps its an issue at the MySQL level? I also note the output for the Tunnel-Password displays differently between 1.x and 3.x. I'm testing this on FreeBSD 11.0 and FreeRadius 3.0.14 and MySQL 8.0 (although I've previously encountered this issue with 5.x), thanks, Andy.
On Jul 19, 2017, at 11:11 AM, Andy Smith <a.smith@ldex.co.uk> wrote:
With both the 1.x and 3.x systems we get "response: Access-Accept" and a load of details such as Service-Type, Tunnel-Password etc. However I see differences for non printing characters such as "/n". So for the Cisco-AVPair in the output in NTRadPing I see on 1.x:
lcp:interface-config=ip unnumbered loopback 2003\n
But on 3.x I see:
lcp:interface-config=ip unnumbered loopback 2003\0x0a
Where do you see this? The debug output? If so, that only matters for the debug output. If you want to see what's in the packet, use wireshark.
The output from 1.x is exactly how the data is entered and displays direct in MySQL. I've tried double escaping the "\" but it doesn't make any difference. I see that 0x0a is the ASCII encoding for \n, has something changed in FreeRadius WRT this? Or perhaps its an issue at the MySQL level?
Since you don't say where you see this, I can't offer any advice.
I also note the output for the Tunnel-Password displays differently between 1.x and 3.x.
And that difference is.... what? Alan DeKok.
On 19-07-2017, Alan DeKok wrote:
Where do you see this? The debug output?
Hi Alan, Im seeing this in "RADIUS Server reply" from NTRadPing The difference (again in the output in NTRadPing) for Tunnel-Password is, 1.x: \0x00\0xe5-\0xd6w\0xee\0x8a\0x96]\0xd0\0xe8\0xd2\0x13\0xacs\0x14\0xa5\0xf9 3.x: \0x00\0x82\0xb0\0x8c\0xd8\0x00\0x06\0xe8\0xc9Q\6f~8\0xc9\0xe0\0x15 The passwords are clear text in the DB, I mentioned this as its another thing that is different but I'm not sure its an issue. As I said, on both 1.x and 3.x I get responce access accepted in NTRadPing. The \n on the other hand I suspect may be an issue as the Cisco documention specifies that the AVPair should end with \n and it does not on the 3.0.14 server, thanks, Andy.
On Jul 19, 2017, at 6:04 PM, Andy Smith <a.smith@ldex.co.uk> wrote:
On 19-07-2017, Alan De Im seeing this in "RADIUS Server reply" from NTRadPing
We didn't write NTRadPing. Ask the authors of NTRadPing why it's broken.
The difference (again in the output in NTRadPing) for Tunnel-Password is, 1.x:
\0x00\0xe5-\0xd6w\0xee\0x8a\0x96]\0xd0\0xe8\0xd2\0x13\0xacs\0x14\0xa5\0xf9
3.x:
\0x00\0x82\0xb0\0x8c\0xd8\0x00\0x06\0xe8\0xc9Q\6f~8\0xc9\0xe0\0x15
The Tunnel-Passwords are encrypted on the wire. If NTRadPing isn't showing you the decrypted version, then it's garbage. Throw it away, and use a real RADIUS client. i.e. radclient.
The passwords are clear text in the DB, I mentioned this as its another thing that is different but I'm not sure its an issue. As I said, on both 1.x and 3.x I get responce access accepted in NTRadPing.
NTRadPing is garbage. Use a real RADIUS client.
The \n on the other hand I suspect may be an issue as the Cisco documention specifies that the AVPair should end with \n and it does not on the 3.0.14 server,
Since you're not posting the debug output, there isn't much I can do to help. Alan DeKok.
OK, same experiement but using radclient. I do see different results than when using NTRadPing. 1.x server: Cisco-AVPair = "lcp:interface-config=ip unnumbered loopback 2003\\n" So its double escaped the \n, in the DB its not double escaped. The 3.x server shows: Cisco-AVPair = "lcp:interface-config=ip unnumbered loopback 2003\n" If I double escape it in the DB it doesn't change the output from radclient, if I triple escape it it comes out as "\\\n". I don't know how much debug you want to see, the section where its reporting the reply to the client shows as: (1) Sent Access-Accept Id 207 from 172.31.252.152:1812 to 93.191.32.127:34327 length 0 (1) Cisco-AVPair = "lcp:interface-config=ip unnumbered loopback 2003\n" I tried adding "\" as a safe character in the MySQL quieries.conf but it didn't change anything. So is the question, why is FreeRadius 1 double escaping the "\n" and how can I replicate this in 3.0.14? thanks, Andy.
On Jul 20, 2017, at 4:59 AM, Andy Smith <a.smith@ldex.co.uk> wrote:
OK, same experiement but using radclient. I do see different results than when using NTRadPing. 1.x server:
How about using radclient, which isn't broken? I fail to see why some people are dead-set against using the tools that come with the server.
I don't know how much debug you want to see,
If you've read the documentation, or been on the list more than a few days, you'd know we want to see ALL of it. Honestly, you're asking questions and ignoring the answers. That isn't a way to solve the problem. Alan DeKok.
I was using the radclient from a Linux desktop, which was version 2.2.8, for testing against both the 1.x server and the 3.0.14. I've just tested again with the v3.0.14 radclient to both servers and I see the same thing, ie the response has a double escaped //n from the 1.x server but not the 3.0.14. Here is the full debug from the 3.0.14 server during this test: (7) Received Access-Request Id 234 from 127.0.0.1:19688 to 127.0.0.1:1812 length 60 (7) User-Name = "ttb-test@realm-1.ws" (7) CHAP-Password = 0x0ec29b10ac548d021a2e021e687c2556ab (7) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (7) authorize { (7) [preprocess] = ok (7) chap: &control:Auth-Type := CHAP (7) [chap] = ok (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: Looking up realm "realm-1.ws" for User-Name = "ttb-test@realm-1.ws" (7) suffix: No such realm "realm-1.ws" (7) [suffix] = noop (7) eap: No EAP-Message, not doing EAP (7) [eap] = noop (7) [files] = noop (7) sql: EXPAND %{User-Name} (7) sql: --> ttb-test@realm-1.ws (7) sql: SQL-User-Name set to 'ttb-test@realm-1.ws' rlm_sql (sql): Closing connection (12): Hit idle_timeout, was idle for 262 seconds rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (11): Hit idle_timeout, was idle for 215 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (14): Hit idle_timeout, was idle for 215 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (13): Hit idle_timeout, was idle for 215 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare" rlm_sql (sql): Opening additional connection (15), 1 of 32 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 8.0.0-dmr-log, protocol version 10 rlm_sql (sql): Reserved connection (15) (7) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (7) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'ttb-test@realm-1.ws' ORDER BY id (7) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'ttb-test@realm-1.ws' ORDER BY id (7) sql: User found in radcheck table (7) sql: Conditional check items matched, merging assignment check items (7) sql: Cleartext-Password := "test" (7) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (7) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'ttb-test@realm-1.ws' ORDER BY id (7) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'ttb-test@realm-1.ws' ORDER BY id (7) sql: User found in radreply table, merging reply items (7) sql: Cisco-AVPair := "lcp:interface-config=ip unnumbered loopback 2003\n" (7) sql: Framed-IP-Address := 93.191.37.198 (7) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (7) sql: --> SELECT groupname FROM radusergroup WHERE username = 'ttb-test@realm-1.ws' ORDER BY priority (7) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'ttb-test@realm-1.ws' ORDER BY priority (7) sql: User found in the group table (7) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id (7) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'realm-1' ORDER BY id (7) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'realm-1' ORDER BY id (7) sql: Group "realm-1": Conditional check items matched (7) sql: Group "realm-1": Merging assignment check items (7) sql: Auth-Type := CHAP (7) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id (7) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'realm-1' ORDER BY id (7) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'realm-1' ORDER BY id (7) sql: Group "realm-1": Merging reply items (7) sql: Service-Type := Framed-User (7) sql: Tunnel-Medium-Type := IPv4 (7) sql: Tunnel-Type := L2TP (7) sql: Tunnel-Password := "flu1dl2tp" (7) sql: Tunnel-Server-Endpoint := "178.248.104.124" (7) sql: Tunnel-Client-Auth-Id := "broadband-3" rlm_sql (sql): Released connection (15) Need 2 more connections to reach min connections (3) rlm_sql (sql): Opening additional connection (16), 1 of 31 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 8.0.0-dmr-log, protocol version 10 (7) [sql] = ok (7) [expiration] = noop (7) [logintime] = noop (7) pap: WARNING: Auth-Type already set. Not setting to PAP (7) [pap] = noop (7) } # authorize = ok (7) Found Auth-Type = CHAP (7) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (7) Auth-Type CHAP { (7) chap: Comparing with "known good" Cleartext-Password (7) chap: CHAP user "ttb-test@realm-1.ws" authenticated successfully (7) [chap] = ok (7) } # Auth-Type CHAP = ok (7) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (7) post-auth { (7) update { (7) No attributes updated (7) } # update = noop (7) sql: EXPAND .query (7) sql: --> .query (7) sql: Using query template 'query' rlm_sql (sql): Reserved connection (15) (7) sql: EXPAND %{User-Name} (7) sql: --> ttb-test@realm-1.ws (7) sql: SQL-User-Name set to 'ttb-test@realm-1.ws' (7) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (7) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'ttb-test@realm-1.ws', '0x0ec29b10ac548d021a2e021e687c2556ab', 'Access-Accept', '2017-07-20 15:03:35') (7) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'ttb-test@realm-1.ws', '0x0ec29b10ac548d021a2e021e687c2556ab', 'Access-Accept', '2017-07-20 15:03:35') (7) sql: SQL query returned: success (7) sql: 1 record(s) updated rlm_sql (sql): Released connection (15) (7) [sql] = ok (7) [exec] = noop (7) policy remove_reply_message_if_eap { (7) if (&reply:EAP-Message && &reply:Reply-Message) { (7) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (7) else { (7) [noop] = noop (7) } # else = noop (7) } # policy remove_reply_message_if_eap = noop (7) } # post-auth = ok (7) Sent Access-Accept Id 234 from 127.0.0.1:1812 to 127.0.0.1:19688 length 0 (7) Cisco-AVPair = "lcp:interface-config=ip unnumbered loopback 2003\n" (7) Framed-IP-Address = 93.191.37.198 (7) Service-Type = Framed-User (7) Tunnel-Medium-Type = IPv4 (7) Tunnel-Type = L2TP (7) Tunnel-Password = "flu1dl2tp" (7) Tunnel-Server-Endpoint = "178.248.104.124" (7) Tunnel-Client-Auth-Id = "broadband-3" (7) Finished request I'm new to both the forum and FreeRadius. If this is still not the info needed please let me know what I should be providing, thanks, Andy.
On Jul 20, 2017, at 10:07 AM, Andy Smith <a.smith@ldex.co.uk> wrote:
I was using the radclient from a Linux desktop, which was version 2.2.8, for testing against both the 1.x server and the 3.0.14.
Your previous messages were talking about NTRadPing. Please keep your story consistent.
I've just tested again with the v3.0.14 radclient to both servers and I see the same thing, ie the response has a double escaped //n from the 1.x server but not the 3.0.14.
So? As I've said, that's just debug output. As I've also said, what do the packets look like? Have you tried using wireshark to compare the packets?
I'm new to both the forum and FreeRadius. If this is still not the info needed please let me know what I should be providing,
It's nice that you're new. It's annoying that you ignore the advice I've been giving. There are ways to get things done: follow instructions. There are ways to annoy people: do everything *other* than what you're told to do. So far you're about 75% ignoring advice, and 25% following it. If you want to solve the problem, you have to change that ratio. A lot. Alan DeKok.
On Thu, 2017-07-20 at 15:07 +0100, Andy Smith wrote:
tested again with the v3.0.14 radclient to both servers and I see the same thing, ie the response has a double escaped //n from the 1.x server but not the 3.0.14.
I can't see what you've got it set to as you've not posted the full debug output, but as a quick thought, check the setting of "correct_escapes" in radiusd.conf, and try changing it. -- Matthew
participants (3)
-
Alan DeKok -
Andy Smith -
Matthew Newton