Problem with special character '%' inside in User-Password attribute [ freeradius 3.0.1 ]

joaocdc at gmail.com joaocdc at gmail.com
Thu Feb 26 15:57:39 CET 2015 

Please, someone can help with the special character '%' inside in
User-Password attribute?
the radius generates a exception in authorize phase, and the authentication
fails.

This occurs when PAP is selected.

Is possible escape special characters in User-Password attribute? how i do
it? please show me an example.

I'm using freeradius 3.0.1, with CentOS 7. In the past I was using
freeradius 2.1 with Debian 6, this problem never occurred.

At below debug is possible see the problem.


rad_recv: Access-Request packet from host 172.25.89.1 port 32768, id=250,
length=157
    User-Name = '0006882'
    User-Password = '#mypass123%'
    Service-Type = Login-User
    NAS-IP-Address = 172.25.89.1
    NAS-Port = 4
    NAS-Identifier = 'WLC-PTI'
    NAS-Port-Type = Wireless-802.11
    Airespace-Wlan-Id = 8
    Calling-Station-Id = '00-db-df-27-2a-45'
    Called-Station-Id = 'dc-a5-f4-1d-1b-60:PTI-WIFI'
    Message-Authenticator = 0xe6054dc6d0e931d8210d4851a1c68e34
(24) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(24)   authorize {
(24)   ? if (User-Name !~ /@/)
(24)   ? if (User-Name !~ /@/) -> TRUE
(24)   if (User-Name !~ /@/) {
(24)    update request {
(24)         Realm := "pti"
(24)    } # update request = noop
(24)   } # if (User-Name !~ /@/) = noop
(24)   [preprocess] = ok
(24)   [chap] = noop
(24)   [mschap] = noop
(24)   [digest] = noop
(24) suffix : Request already has destination realm set.  Ignoring.
(24)   [suffix] = ok
(24)   update control {
(24)         Proxy-To-Realm := 'LOCAL'
(24)   } # update control = noop
(24) eap : No EAP-Message, not doing EAP
(24)   [eap] = noop
(24)   [files] = noop
(24)   ? if ( Service-Type == "Login-User")
(24)     expand: "Login-User" -> 'Login-User'
(24)   ? if ( Service-Type == "Login-User")  -> TRUE
(24)   if ( Service-Type == "Login-User")  {
(24)    ? if ( Realm == "pti")
(24)     expand: "pti" -> 'pti'
(24)    ? if ( Realm == "pti")  -> TRUE
(24)    if ( Realm == "pti")  {
rlm_ldap (ldap_pti): Reserved connection (4)
(24) ldap_pti :     expand:
"(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(habitantActive=TRUE)(habitantLoginActive=TRUE)(habitantWirelessActive=TRUE))"
->
'(&(uid=0006882)(habitantActive=TRUE)(habitantLoginActive=TRUE)(habitantWirelessActive=TRUE))'
(24) ldap_pti :     expand: "ou=instituicoes,dc=parque" ->
'ou=instituicoes,dc=parque'
(24) ldap_pti : Performing search in 'ou=instituicoes,dc=parque' with
filter
'(&(uid=0006882)(habitantActive=TRUE)(habitantLoginActive=TRUE)(habitantWirelessActive=TRUE))'
(24) ldap_pti : Waiting for search result...
(24) ldap_pti : User object found at DN
"uid=0006882,cn=0040574,ou=instituicoes,dc=parque"
(24) ldap_pti : Processing user attributes
(24) ldap_pti :         control:Password-With-Header +=
'{SSHA}395fMQk8eSN+V+vDRKuc4JuAPTh7eV4c'
(24) ldap_pti :         control:NT-Password :=
0x4335413336304144323434343343453142413437383138464642383638323046
rlm_ldap (ldap_pti): Released connection (4)
(24)     [ldap_pti] = ok
(24)    } # if ( Realm == "pti")  = ok
(24)    ? if ( Realm == "vst")
(24)     expand: "vst" -> 'vst'
(24)    ? if ( Realm == "vst")  -> FALSE
(24)   } # if ( Service-Type == "Login-User")  = ok
(24)   [expiration] = noop
(24)   [logintime] = noop
(24) pap : Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes
(24) pap : Normalizing SSHA1-Password from base64 encoding, 32 bytes -> 24
bytes
(24)   [pap] = updated
(24)  } #  authorize = updated
(24) Found Auth-Type = PAP
(24) # Executing group from file /etc/raddb/sites-enabled/default
(24)  Auth-Type PAP {
(24) pap : login attempt with password "#mypass123%"
(24) pap : Using NT encryption.
(24) ERROR: pap : #mypass123%
(24) ERROR: pap :         ^ Invalid variable expansion
(24) pap :     expand: "%{mschap:NT-Hash %{User-Password}}" -> ''
(24) ERROR: pap : NT password check failed
(24) pap : Passwords don't match
(24)   [pap] = reject
(24)  } # Auth-Type PAP = reject
(24) Failed to authenticate the user.
(24) Login incorrect (pap: #mypass123%): [0006882] (from client
controladora-wlan-1 port 4 cli 00-db-df-27-2a-45)
(24) Using Post-Auth-Type Reject
(24) # Executing group from file /etc/raddb/sites-enabled/default
(24)  Post-Auth-Type REJECT {
(24) attr_filter.access_reject :     expand: "%{User-Name}" -> '0006882'
(24) attr_filter.access_reject : Matched entry DEFAULT at line 11
(24)   [attr_filter.access_reject] = updated
(24) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure
(24)   [eap] = noop
(24)   remove_reply_message_if_eap remove_reply_message_if_eap {
(24)    ? if (reply:EAP-Message && reply:Reply-Message)
(24)    ? if (reply:EAP-Message && reply:Reply-Message)  -> FALSE
(24)    else else {
(24)     [noop] = noop
(24)    } # else else = noop
(24)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(24)  } # Post-Auth-Type REJECT = updated
(24) Finished request 24.
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(24) Sending delayed reject
Sending Access-Reject of id 250 from 186.233.12.25 port 1812 to 172.25.89.1
port 32768
Waking up in 2.2 seconds.

-- 
João Paulo de Lima Barbosa

"Para chegar aonde a maioria não chega, você precisa fazer o que a maioria
não faz."

More information about the Freeradius-Users mailing list