Cleartext password does not match "known good" password

Mon Dec 7 17:22:07 CET 2015

Hi Alan,

It works. Thank you.

One more question:
Why the password in "radpostauth" shown without the tail/padding?

On Tue, Dec 8, 2015 at 12:09 AM, Gang Li <gavin.lee.cd at gmail.com> wrote:
> Hi Alan,
>
> Thank you for your reply.
>
> Here's the complete debug msg;
>
> (0) Received Access-Request Id 70 from 10.0.0.110:1812 to
> 10.0.0.101:1812 length 273
> (0)   User-Name = "admin"
> (0)   User-Password =
> "111111\000\000\000\000\000\000\000\000\000\000\245z\277\023\362*\r\342\302\354\350\374\026\303\337\030"
> (0)   NAS-Port = 0
> (0)   Service-Type = Administrative-User
> (0)   Framed-Protocol = X.75-Synchronous
> (0)   Framed-IP-Address = 2.0.0.10
> (0)   NAS-Identifier = "LNS"
> (0)   NAS-Port-Type = Virtual
> (0)   NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=0"
> (0)   Called-Station-Id =
> "\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377
> (0)   Login-IP-Host = 2.0.0.10
> (0)   NAS-IP-Address = 10.0.0.110
> (0)   Huawei-Startup-Stamp = 1449191622
> (0)   Huawei-IPHost-Addr = "2.0.0.10 ff:ff:ff:ff:ff:ff"
> (0)   Huawei-Connect-ID = 6
> (0)   Huawei-Version = "Huawei AR1220"
> (0)   Huawei-Product-ID = "AR"
> (0) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (0)   authorize {
> (0)     policy filter_username {
> (0)       if (!&User-Name) {
> (0)       if (!&User-Name)  -> FALSE
> (0)       if (&User-Name =~ / /) {
> (0)       if (&User-Name =~ / /)  -> FALSE
> (0)       if (&User-Name =~ /@.*@/ ) {
> (0)       if (&User-Name =~ /@.*@/ )  -> FALSE
> (0)       if (&User-Name =~ /\.\./ ) {
> (0)       if (&User-Name =~ /\.\./ )  -> FALSE
> (0)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (0)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
> (0)       if (&User-Name =~ /\.$/)  {
> (0)       if (&User-Name =~ /\.$/)   -> FALSE
> (0)       if (&User-Name =~ /@\./)  {
> (0)       if (&User-Name =~ /@\./)   -> FALSE
> (0)     } # policy filter_username = notfound
> (0)     [preprocess] = ok
> (0)     [chap] = noop
> (0)     [mschap] = noop
> (0)     [digest] = noop
> (0) suffix: Checking for suffix after "@"
> (0) suffix: No '@' in User-Name = "admin", looking up realm NULL
> (0) suffix: No such realm "NULL"
> (0)     [suffix] = noop
> (0) eap: No EAP-Message, not doing EAP
> (0)     [eap] = noop
> (0) sql: EXPAND %{User-Name}
> (0) sql:    --> admin
> (0) sql: SQL-User-Name set to 'admin'
> rlm_sql (sql): Reserved connection (1)
> (0) sql: EXPAND SELECT id, username, attribute, value, op FROM
> radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
> (0) sql:    --> SELECT id, username, attribute, value, op FROM
> radcheck WHERE username = 'admin' ORDER BY id
> (0) sql: Executing select query: SELECT id, username, attribute,
> value, op FROM radcheck WHERE username = 'admin' ORDER BY id
> (0) sql: User found in radcheck table
> (0) sql: Conditional check items matched, merging assignment check items
> (0) sql:   Cleartext-Password := "111111"
> (0) sql: EXPAND SELECT id, username, attribute, value, op FROM
> radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
> (0) sql:    --> SELECT id, username, attribute, value, op FROM
> radreply WHERE username = 'admin' ORDER BY id
> (0) sql: Executing select query: SELECT id, username, attribute,
> value, op FROM radreply WHERE username = 'admin' ORDER BY id
> (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username =
> '%{SQL-User-Name}' ORDER BY priority
> (0) sql:    --> SELECT groupname FROM radusergroup WHERE username =
> 'admin' ORDER BY priority
> (0) sql: Executing select query: SELECT groupname FROM radusergroup
> WHERE username = 'admin' ORDER BY priority
> (0) sql: User not found in any groups
> rlm_sql (sql): Released connection (1)
> (0)     [sql] = ok
> (0)     [expiration] = noop
> (0)     [logintime] = noop
> (0)     [pap] = updated
> (0)   } # authorize = updated
> (0) Found Auth-Type = PAP
> (0) # Executing group from file /etc/raddb/sites-enabled/default
> (0)   Auth-Type PAP {
> (0) pap: Login attempt with password
> (0) pap: Comparing with "known good" Cleartext-Password
> (0) pap: ERROR: Cleartext password does not match "known good" password
> (0) pap: Passwords don't match
> (0)     [pap] = reject
> (0)   } # Auth-Type PAP = reject
> (0) Failed to authenticate the user
> (0) Using Post-Auth-Type Reject
> (0) # Executing group from file /etc/raddb/sites-enabled/default
> (0)   Post-Auth-Type REJECT {
> (0) sql: EXPAND .query
> (0) sql:    --> .query
> (0) sql: Using query template 'query'
> rlm_sql (sql): Reserved connection (2)
> (0) sql: EXPAND %{User-Name}
> (0) sql:    --> admin
> (0) sql: SQL-User-Name set to 'admin'
> (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply,
> authdate) VALUES ( '%{SQL-User-Name}',
> '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
> (0) sql:    --> INSERT INTO radpostauth (username, pass, reply,
> authdate) VALUES ( 'admin', '111111', 'Access-Reject', '2015-12-07
> 23:01:52')
> (0) sql: Executing query: INSERT INTO radpostauth (username, pass,
> reply, authdate) VALUES ( 'admin', '111111', 'Access-Reject',
> '2015-12-07 23:01:52')
> (0) sql: SQL query returned: success
> (0) sql: 1 record(s) updated
> rlm_sql (sql): Released connection (2)
> (0)     [sql] = ok
> (0) attr_filter.access_reject: EXPAND %{User-Name}
> (0) attr_filter.access_reject:    --> admin
> (0) attr_filter.access_reject: Matched entry DEFAULT at line 18
> (0)     [attr_filter.access_reject] = updated
> (0) eap: Request didn't contain an EAP-Message, not inserting EAP-Failure
> (0)     [eap] = noop
> (0)     policy remove_reply_message_if_eap {
> (0)       if (&reply:EAP-Message && &reply:Reply-Message) {
> (0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
> (0)       else {
> (0)         [noop] = noop
> (0)       } # else = noop
> (0)     } # policy remove_reply_message_if_eap = noop
> (0)   } # Post-Auth-Type REJECT = updated
> (0) Delaying response for 1.000000 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.6 seconds.
> (0) <delay>: Sending delayed response
> (0) <delay>: Sent Access-Reject Id 70 from 10.0.0.101:1812 to
> 10.0.0.110:1812 length 20
> Waking up in 3.9 seconds.
> (0) <delay>: Cleaning up request packet ID 70 with timestamp +43
>
>
> In the debug msg, I can find the username/password admin/111111, I
> think that means freeradius has got the correct information from
> mysql.