Fwd: ERROR: pap : Cleartext password does not match "known good" password

orion doty orion.doty at gmail.com
Wed May 11 12:42:55 CEST 2016 

I don't understand what is happening to the password as I can see it
correctly in the access request.   I also would have expected to see the
password on this line just before the error:


(0)  Auth-Type PAP {

(0)  pap : Login attempt with password [SHOULDN'T THE PASSWORD BE HERE???
IT IS NOT]



Here is the full output (minus the IP addresses):

Received Access-Request Id 8 from X:18852 to X:1812 length 107

User-Name = '20c9d081bcc3'

User-Password = '20c9d081bcc3'

NAS-Identifier = '58-B6-33-1A-7D-20'

NAS-IP-Address = X

Service-Type = Login-User

NAS-Port-Type = Wireless-802.11

Message-Authenticator = 0xafa4b69194ca031fd61fa4c300b0198c

(0) Received Access-Request packet from host X port 18852, id=8, length=107

(0) User-Name = '20c9d081bcc3'

(0) User-Password = '20c9d081bcc3'

(0) NAS-Identifier = '58-B6-33-1A-7D-20'

(0) NAS-IP-Address = X

(0) Service-Type = Login-User

(0) NAS-Port-Type = Wireless-802.11

(0) Message-Authenticator = 0xafa4b69194ca031fd61fa4c300b0198c

(0) # Executing section authorize from file /etc/raddb/sites-enabled/default

(0)   authorize {

(0)   filter_username filter_username {

(0)     if (!&User-Name)

(0)     if (!&User-Name)  -> FALSE

(0)     if (&User-Name =~ / /)

(0)     if (&User-Name =~ / /)  -> FALSE

(0)     if (&User-Name =~ /@.*@/ )

(0)     if (&User-Name =~ /@.*@/ )  -> FALSE

(0)     if (&User-Name =~ /\\.\\./ )

(0)     if (&User-Name =~ /\\.\\./ )  -> FALSE

(0)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))

(0)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   ->
FALSE

(0)     if (&User-Name =~ /\\.$/)

(0)     if (&User-Name =~ /\\.$/)   -> FALSE

(0)     if (&User-Name =~ /@\\./)

(0)     if (&User-Name =~ /@\\./)   -> FALSE

(0)   } # filter_username filter_username = notfound

(0)   [preprocess] = ok

(0)  sql : EXPAND %{User-Name}

(0)  sql :    --> 20c9d081bcc3

(0)  sql : SQL-User-Name set to '20c9d081bcc3'

rlm_sql (sql): Reserved connection (4)

(0)  sql : EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id

(0)  sql :    --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '20c9d081bcc3' ORDER BY id

rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '20c9d081bcc3' ORDER BY id'

(0)  sql : User found in radcheck table

(0)  sql : Check items matched

(0)  sql : EXPAND SELECT id, username, attribute, value, op FROM radreply
WHERE username = '%{SQL-User-Name}' ORDER BY id

(0)  sql :    --> SELECT id, username, attribute, value, op FROM radreply
WHERE username = '20c9d081bcc3' ORDER BY id

rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op
FROM radreply WHERE username = '20c9d081bcc3' ORDER BY id'

(0)  sql : User found in radreply table

(0)  sql : EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority

(0)  sql :    --> SELECT groupname FROM radusergroup WHERE username =
'20c9d081bcc3' ORDER BY priority

rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE
username = '20c9d081bcc3' ORDER BY priority'

(0)  sql : User not found in any groups

rlm_sql (sql): Released connection (4)

(0)   [sql] = ok

(0)    if (notfound)

(0)    if (notfound)  -> FALSE

(0)  expiration : Account will expire at 'May 12 2016 13:00:00 UTC'

(0)   [expiration] = ok

(0)    if (userlock)

(0)    if (userlock)  -> FALSE

(0)   [logintime] = noop

(0)   [pap] = updated

(0)  } #  authorize = updated

(0) Found Auth-Type = PAP

(0) # Executing group from file /etc/raddb/sites-enabled/default

(0)  Auth-Type PAP {

(0)  pap : Login attempt with password

*(0)  ERROR: pap : Cleartext password does not match "known good" password*

(0)  pap : Passwords don't match

(0)   [pap] = reject

(0)  } # Auth-Type PAP = reject

(0) Failed to authenticate the user

(0) Using Post-Auth-Type Reject

(0) # Executing group from file /etc/raddb/sites-enabled/default

(0)  Post-Auth-Type REJECT {

(0)  attr_filter.access_reject : EXPAND %{User-Name}

(0)  attr_filter.access_reject :    --> 20c9d081bcc3

(0)  attr_filter.access_reject : Matched entry DEFAULT at line 11

(0)   [attr_filter.access_reject] = updated

(0)  } # Post-Auth-Type REJECT = updated

(0) Delaying response for 1 seconds

Waking up in 0.3 seconds.

Waking up in 0.6 seconds.

(0) Sending delayed response

Waking up in 3.9 seconds.

(0) Cleaning up request packet ID 8 with timestamp +6


of note:  records in the mysql radcheck table related to the user


| 54 | 20C9D081BCC3 | Expiration         | := | 12 May 2016 13:00 |

| 55 | 20C9D081BCC3 | Cleartext-Password | := | 20C9D081BCC3      |

| 56 | 20C9D081BCC3 | Site-Id            | := | LAB               |

More information about the Freeradius-Users mailing list