Tunnel-Password length not multiple of 16
McWilliams, Rhys
rhys.mcwilliams at cdk.com
Mon Apr 18 16:22:18 CEST 2016
Hi,
I've been trying to migrate from FreeRADIUS ver 1.1.3 to ver 3.0.4.
I've setup new servers running MariaDB and FreeRADIUS 3.0.4 and have left the ver 3 config as default as possible with just changing a few things like the listen port and the SQL database parameters, and of course clients.conf and huntgroup.
All looks good at first glance and the radtest utility works and returns what is expected and the debug shows Access-Accept.
But when I run a "test aaa group" from the Cisco router it returns a "User rejected" and the "debug radius" outputs the following.
router#test aaa group vpn-dialin-auth-test user-name cisco new-code
User rejected
router#
Apr 18 16:01:39 SAST: RADIUS/ENCODE(00000000):Orig. component type = Invalid
Apr 18 16:01:39 SAST: RADIUS/ENCODE(00000000): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
Apr 18 16:01:39 SAST: RADIUS(00000000): Config NAS IP: 172.16.0.1
Apr 18 16:01:39 SAST: RADIUS(00000000): Config NAS IPv6: ::
Apr 18 16:01:39 SAST: RADIUS(00000000): sending
Apr 18 16:01:39 SAST: RADIUS/DECODE(00000000): There is no General DB. Want server details may not be specified
Apr 18 16:01:39 SAST: RADIUS(00000000): Send Access-Request to 172.16.0.2:18122 id 1645/8, len 57
Apr 18 16:01:39 SAST: RADIUS: authenticator DC F4 D6 39 DF 63 68 B4 - 16 06 B4 62 A3 44 9F 06
Apr 18 16:01:39 SAST: RADIUS: User-Password [2] 18 *
Apr 18 16:01:39 SAST: RADIUS: User-Name [1] 13 "user-name"
Apr 18 16:01:39 SAST: RADIUS: NAS-IP-Address [4] 6 172.16.0.1
Apr 18 16:01:39 SAST: RADIUS(00000000): Sending a IPv4 Radius Packet
Apr 18 16:01:39 SAST: RADIUS(00000000): Started 5 sec timeout
Apr 18 16:01:39 SAST: RADIUS: Received from id 1645/8 172.16.0.2:18122, Access-Accept, len 154
Apr 18 16:01:39 SAST: RADIUS: authenticator 02 9B 45 F7 98 F7 3F AB - 98 54 71 59 F3 73 29 76
Apr 18 16:01:39 SAST: RADIUS: Service-Type [6] 6 Outbound [5]
Apr 18 16:01:39 SAST: RADIUS: Tunnel-Type [64] 6 00:ESP [9]
Apr 18 16:01:39 SAST: RADIUS: Tunnel-Password [69] 52 00:*
Apr 18 16:01:39 SAST: RADIUS: Vendor, Cisco [26] 30
Apr 18 16:01:39 SAST: RADIUS: Cisco AVpair [1] 24 "ipsec:key-exchange=ike"
Apr 18 16:01:39 SAST: RADIUS: Vendor, Cisco [26] 40
Apr 18 16:01:39 SAST: RADIUS: Cisco AVpair [1] 34 "ipsec:key-exchange=preshared-key"
Apr 18 16:01:39 SAST: RADIUS/DECODE(00000000): There is no General DB. Reply server details may not be recorded
router#
Apr 18 16:01:39 SAST: RADIUS(00000000): Received from id 1645/8
Apr 18 16:01:39 SAST: RADIUS: Tunnel-Password length not multiple of 16
Apr 18 16:01:39 SAST: RADIUS/DECODE: decoder; FAIL
Apr 18 16:01:39 SAST: RADIUS/DECODE: attribute Tunnel-Password; FAIL
Apr 18 16:01:39 SAST: RADIUS/DECODE: parse response op decode; FAIL
You can see the Cisco router has received an "Access-Accept" from the line "RADIUS: Received from id 1645/8 172.16.0.2:18122, Access-Accept, len 154" but the debug returns that last bit about the Tunnel-Password.
If I run the same test against the current live aaa group, which wuthenticates against the ver 1.1.3 FreeRADIUS, it all works fine as it should being the live setup.
router#test aaa group vpn-dialin-auth user-name cisco new-code
User successfully authenticated
USER ATTRIBUTES
service-type 0 5 [Outbound]
tunnel-type 0 9 [esp]
tunnel-password 0 <hidden>
key-exchange 0 "ike"
key-exchange 0 "preshared-key"
The aaa groups are identical except the radius server defined to authenticate against and all the other bits that Cisco references are setup for the test group too.
I have done the changes in the database for ver 3 like this one - changing attribute from "Password" to "Cleartext-Password" and the op to be ":="
+----+-------------+--------------------+----+-------+
| id | UserName | Attribute | op | Value |
+----+-------------+--------------------+----+-------+
| 33 | user-name | Cleartext-Password | := | cisco |
+----+-------------+--------------------+----+-------+
As far as the RADIUS debug is concerned all was good and successful, but clearly Cisco thinks otherwise...
Please could someone point me in the correct direct as I've spent a few days now searching for this "error" to no avail...
Rhys McWilliams
----------------------------------------------------------------------
This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.
More information about the Freeradius-Users
mailing list