WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!

Narender Yadav narender.yadav at mojonetworks.com
Thu Dec 29 14:22:14 CET 2016 

Hello Everyone,



I am new to FreeRADIUS world and got stuck at one point.



My setup:

-          FreeRADIUS server

o   Users mentioned in ‘/usr/local/etc/raddb/mods-config/files/authorize’

§  test Cleartext-Password := "welcome"

o   clients mentioned in ‘/usr/local/etc/raddb/clients.conf’

§  client x.x.x.x{

§          secret=test

§  }

§  Where, x.x.x.x is the IP address of RADIUS client machine

-          RADIUS client

o   RADIUS server is defined in ‘/etc/raddb/server’

§  y.y.y.y test 2

§  where, y.y.y.y is the IP address of RADIUS server



*we have one application server where RADIUS client is already built and
its working fine with newly configured RADIUS server. The issue is with
RADIUS  client that I have setup.*



when trying to login to RADIUS client machine using user ‘test’, I  am
getting below error in debug logs:



I have checked again and shared secret is same on NAS and RADIUS server.



--------------------------------------------------------------------------------------------------------------------------------------

(1) Received Access-Request Id 33 from x.x.x.x:44896 to 10.222.34.65:1812
length 90

(1)   User-Name = "test"

(1)   User-Password = "\010\n\r\177INCORRECT"

(1)   NAS-IP-Address = 10.222.34.227

(1)   NAS-Identifier = "sshd"

(1)   NAS-Port = 3874

(1)   NAS-Port-Type = Virtual

(1)   Service-Type = Authenticate-Only

(1)   Calling-Station-Id = "115.113.149.70"

(1) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default

(1)   authorize {

(1)     policy filter_username {

(1)       if (&User-Name) {

(1)       if (&User-Name)  -> TRUE

(1)       if (&User-Name)  {

(1)         if (&User-Name =~ / /) {

(1)         if (&User-Name =~ / /)  -> FALSE

(1)         if (&User-Name =~ /@[^@]*@/ ) {

(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(1)         if (&User-Name =~ /\.\./ ) {

(1)         if (&User-Name =~ /\.\./ )  -> FALSE

(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(1)         if (&User-Name =~ /\.$/)  {

(1)         if (&User-Name =~ /\.$/)   -> FALSE

(1)         if (&User-Name =~ /@\./)  {

(1)         if (&User-Name =~ /@\./)   -> FALSE

(1)       } # if (&User-Name)  = notfound

(1)     } # policy filter_username = notfound

(1)     [preprocess] = ok

(1)     [chap] = noop

(1)     [mschap] = noop

(1)     [digest] = noop

(1) suffix: Checking for suffix after "@"

(1) suffix: No '@' in User-Name = "test", looking up realm NULL

(1) suffix: No such realm "NULL"

(1)     [suffix] = noop

(1) eap: No EAP-Message, not doing EAP

(1)     [eap] = noop

(1) files: users: Matched entry test at line 1

(1)     [files] = ok

(1)     [expiration] = noop

(1)     [logintime] = noop

(1)     [pap] = updated

(1)   } # authorize = updated

(1) Found Auth-Type = PAP

(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default

(1)   Auth-Type PAP {

(1) pap: Login attempt with password

(1) pap: Comparing with "known good" Cleartext-Password

(1) pap: ERROR: Cleartext password "?  ?INCORRECT" does not match "known
good" password

(1) pap: Passwords don't match

(1)     [pap] = reject

(1)   } # Auth-Type PAP = reject

(1) Failed to authenticate the user

(1) WARNING: Unprintable characters in the password.  Double-check the
shared secret on the server and the NAS!

(1) Using Post-Auth-Type Reject

(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default

(1)   Post-Auth-Type REJECT {

(1) attr_filter.access_reject: EXPAND %{User-Name}

(1) attr_filter.access_reject:    --> test

(1) attr_filter.access_reject: Matched entry DEFAULT at line 11

(1)     [attr_filter.access_reject] = updated

(1)     [eap] = noop

(1)     policy remove_reply_message_if_eap {

(1)       if (&reply:EAP-Message && &reply:Reply-Message) {

(1)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE

(1)       else {

(1)         [noop] = noop

(1)       } # else = noop

(1)     } # policy remove_reply_message_if_eap = noop

(1)   } # Post-Auth-Type REJECT = updated

(1) Delaying response for 1.000000 seconds

Waking up in 0.3 seconds.

Waking up in 0.6 seconds.

(1) Sending delayed response

(1) Sent Access-Reject Id 33 from 10.222.34.65:1812 to x.x.x.x:44896 length
20

Waking up in 3.9 seconds.

(1) Cleaning up request packet ID 33 with timestamp +132

Ready to process requests







*Regards,*



*Narender Yadav*

More information about the Freeradius-Users mailing list