Access-Reject in Password using Cisco

MDS Test mdstest.99999 at gmail.com
Fri Dec 7 21:19:49 CET 2018 

Hi,

We are running freeradius 2.2.7 and decided it is time to move to a
latest version.    The person who built the existing server is no
longer with us.  Knowing that configuration from version 2 cannot be
ported to version 3, we had learn it.

So we are able to get a working version 3.13 up and able to proxy the
request into an rsa server.  Authenticating from a juniper network and
linux host works.  But when we authenticate from a cisco device it
fails.

Below is the snippet of the log:
...
(0) Converting control list to client fields
(0)   ipv4addr = 10.8.4.36
(0)   secret = xxxxx
(0)   shortname = evtlmdt-chnp11
(0)   nas_type = other
(0)   virtual_server = default
Adding client 10.8.4.36/32 with shared secret "xxxxx"
(0) Received Access-Request Id 20 from 10.8.4.36:1812 to
10.8.2.16:1812 length 75
(0)   User-Password = "\346)!M\367\341\233\305F\342\344\227\350\245\327\313"
(0)   NAS-IP-Address = 10.8.4.36
(0)   NAS-Port-Type = Virtual
(0)   NAS-Port = 1
(0)   Calling-Station-Id = "10.2.2.31"
(0)   User-Name = "ec2624"
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
  -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0) auth_log: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log:    --> /var/log/radius/radacct/10.8.4.36/auth-detail-20181207
(0) auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.8.4.36/auth-detail-20181207
(0) auth_log: EXPAND %t
(0) auth_log:    --> Fri Dec  7 18:31:40 2018
(0)     [auth_log] = ok
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "ec2624", looking up realm NULL
(0) suffix: Found realm "NULL"
(0) suffix: Adding Stripped-User-Name = "ec2624"
(0) suffix: Adding Realm = "NULL"
(0) suffix: Authentication realm is LOCAL
(0)     [suffix] = ok
(0) files: users: Matched entry DEFAULT at line 1
(0)     [files] = ok
(0) sql: EXPAND %{User-Name}
(0) sql:    --> ec2624
(0) sql: SQL-User-Name set to 'ec2624'
rlm_sql (sql): Reserved connection (0)
(0) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM
radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
(0) sql:    --> SELECT id, UserName, Attribute, Value, Op FROM
radcheck WHERE Username = 'ec2624' ORDER BY id
(0) sql: Executing select query: SELECT id, UserName, Attribute,
Value, Op FROM radcheck WHERE Username = 'ec2624' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
(0) sql: EXPAND SELECT GroupName FROM radusergroup WHERE
UserName='%{SQL-User-Name}' ORDER BY priority
(0) sql:    --> SELECT GroupName FROM radusergroup WHERE
UserName='ec2624' ORDER BY priority
(0) sql: Executing select query: SELECT GroupName FROM radusergroup
WHERE UserName='ec2624' ORDER BY priority
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
(0) sql: User found in the group table
(0) sql: EXPAND SELECT id, GroupName, Attribute, Value, op FROM
radgroupcheck WHERE GroupName = '%{SQL-Group}' ORDER BY id
(0) sql:    --> SELECT id, GroupName, Attribute, Value, op FROM
radgroupcheck WHERE GroupName = 'TIER-4_RW' ORDER BY id
(0) sql: Executing select query: SELECT id, GroupName, Attribute,
Value, op FROM radgroupcheck WHERE GroupName = 'TIER-4_RW' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
(0) sql: Group "TIER-4_RW": Conditional check items matched
(0) sql: Group "TIER-4_RW": Merging assignment check items
(0) sql: EXPAND SELECT id, GroupName, Attribute, Value, op FROM
radgroupreply WHERE GroupName = '%{SQL-Group}' ORDER BY id
(0) sql:    --> SELECT id, GroupName, Attribute, Value, op FROM
radgroupreply WHERE GroupName = 'TIER-4_RW' ORDER BY id
(0) sql: Executing select query: SELECT id, GroupName, Attribute,
Value, op FROM radgroupreply WHERE GroupName = 'TIER-4_RW' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
(0) sql: Group "TIER-4_RW": Merging reply items
rlm_sql (sql): Released connection (0)
(0)     [sql] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0)     [pap] = noop
(0)   } # authorize = ok
(0) Starting proxy to home server 135.37.245.6 port 1812
(0) # Executing section pre-proxy from file /etc/raddb/sites-enabled/default
(0)   pre-proxy {
(0) pre_proxy_log: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d
(0) pre_proxy_log:    -->
/var/log/radius/radacct/10.8.4.36/pre-proxy-detail-20181207
(0) pre_proxy_log:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d
expands to /var/log/radius/radacct/10.8.4.36/pre-proxy-detail-20181207
(0) pre_proxy_log: EXPAND %t
(0) pre_proxy_log:    --> Fri Dec  7 18:31:40 2018
(0)     [pre_proxy_log] = ok
(0)   } # pre-proxy = ok
(0) Proxying request to home server 135.37.245.6 port 1812 timeout 30.000000
(0) Sent Access-Request Id 216 from 0.0.0.0:44743 to 135.37.245.6:1812
length 103
(0)   User-Password = "\346)!M\367\341\233\305F\342\344\227\350\245\327\313"
(0)   NAS-IP-Address = 10.8.4.36
(0)   NAS-Port-Type = Virtual
(0)   NAS-Port = 1
(0)   Calling-Station-Id = "10.2.2.31"
(0)   User-Name = "ec2624"
(0)   Event-Timestamp = "Dec  7 2018 18:31:40 GMT"
(0)   Message-Authenticator := 0x00
(0)   Proxy-State = 0x3230
Waking up in 0.3 seconds.
(0) Expecting proxy response no later than 29.668236 seconds from now
Waking up in 29.6 seconds.
(0) Marking home server 135.37.245.6 port 1812 alive
(0) Clearing existing &reply: attributes
(0) Received Access-Reject Id 216 from 135.37.245.6:1812 to
10.8.2.16:44743 length 24
(0)   Proxy-State = 0x3230
(0) # Executing section post-proxy from file /etc/raddb/sites-enabled/default
(0)   post-proxy {
(0) post_proxy_log: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d
(0) post_proxy_log:    -->
/var/log/radius/radacct/10.8.4.36/post-proxy-detail-20181207
(0) post_proxy_log:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d
expands to /var/log/radius/radacct/10.8.4.36/post-proxy-detail-20181207
(0) post_proxy_log: EXPAND %t
(0) post_proxy_log:    --> Fri Dec  7 18:31:40 2018
(0)     [post_proxy_log] = ok
(0) eap: No pre-existing handler found
(0)     [eap] = noop
(0)     update proxy-reply {
(0)       Filter-Id !* ANY
(0)       Fortinet-Access-Profile !* ANY
(0)       Juniper-Local-User-Name !* ANY
(0)       Cisco-AVPair !* ANY
(0)       PaloAlto-Admin-Role !* ANY
(0)       PaloAlto-Panorama-Admin-Role !* ANY
(0)       F5-LTM-User-Info-1 !* ANY
(0)     } # update proxy-reply = noop
(0)     if ("%{proxy-reply:Packet-Type}" == Access-Accept) {
(0)     EXPAND %{proxy-reply:Packet-Type}
(0)        --> Access-Reject
(0)     if ("%{proxy-reply:Packet-Type}" == Access-Accept)  -> FALSE
(0)   } # post-proxy = ok
(0) EXPAND %{User-Name} failed authentication for %{Packet-Src-IP-Address}
(0)    --> ec2624 failed authentication for 10.8.4.36
(0) Login incorrect (Home Server says so): [ec2624] (from client
evtlmdt-chnp11 port 1 cli 10.2.2.31) ec2624 failed authentication for
10.8.4.36
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> ec2624
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 20 from 10.8.2.16:1812 to 10.8.4.36:1812 length 20
Waking up in 3.9 seconds.
Waking up in 5.3 seconds.



I noticed that this field User-Password =
"\346)!M\367\341\233\305F\342\344\227\350\245\327\313"  seems to be
the issue but i am not certain.   I think this data is being sent to
the rsa server instead of clear text. The clear text value of that
password is 16752550.  This is an OTP. But when we are authenticating
to a linux host,  the password field is clear text.

In our version 2.0,  we are able to authenticate to the cisco gear.
I am still learning freeradius and would like if you can point me how
to fix this.

mds

More information about the Freeradius-Users mailing list