Backslash in AD Password

Bernhard Knoll Bernhard.Knoll at check24.de
Thu Jul 12 16:58:40 CEST 2018


Hello,

is it possible to see what password a module is forwarding to an application?
I have the problem that  I run freeradius with an external OTP Software (LinOTP) via a rlm_perl module.

When I try to authenticate from a Cisco ASA with Anyconnect the authentication fails if there is a backslash in the username.
If I try to authenticate directly agauinst the OTP Software it works with the backslash.
In the radius -X log is see the password with escaped backslash:

[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = perl
# Executing group from file /etc/freeradius/sites-enabled/linotp
+group authenticate {
rlm_perl: Config File /etc/linotp2/rlm_perl.ini found!
rlm_perl: Default URL https://linotpserver/validate/simplecheck
rlm_perl: RAD_REQUEST: Called-Station-Id = y.y.y.y
rlm_perl: RAD_REQUEST: Vendor-3076-Attr-146 = 0x4d55435f48515f53706c6974496e7465726e65745f324641
rlm_perl: RAD_REQUEST: Cisco-AVPair = ARRAY(0x1607ff0)
rlm_perl: RAD_REQUEST: NAS-IP-Address = z.z.z.z
rlm_perl: RAD_REQUEST: Vendor-3076-Attr-150 = 0x00000002
rlm_perl: RAD_REQUEST: Tunnel-Client-Endpoint = x.x.x.x
rlm_perl: RAD_REQUEST: Calling-Station-Id = x.x.x.x
rlm_perl: RAD_REQUEST: User-Name = test-vpn
rlm_perl: RAD_REQUEST: NAS-Port-Type = Virtual
rlm_perl: RAD_REQUEST: User-Password = 123456a\\932684
rlm_perl: RAD_REQUEST: NAS-Port = 19587072
rlm_perl: Auth-Type: perl
rlm_perl: Url: https://172.28.8.190/validate/simplecheck
rlm_perl: User: test-vpn
rlm_perl: urlparam pass = 123456a\\932684
rlm_perl: urlparam realm = check24
rlm_perl: urlparam client = a.a.a.a.a
rlm_perl: urlparam user = test-vpn
rlm_perl: Content :-(
rlm_perl: return RLM_MODULE_REJECT
rlm_perl: Added pair Called-Station-Id = y.y.y.y.
rlm_perl: Added pair Vendor-3076-Attr-146 = 0x4d55435f48515f53706c6974496e7465726e65745f324641
rlm_perl: Added pair Cisco-AVPair = mdm-tlv=device-platform=android
rlm_perl: Added pair Cisco-AVPair = mdm-tlv=device-type=Xiaomi Mi A1
rlm_perl: Added pair Cisco-AVPair = mdm-tlv=device-mac=f4-f5-db-ea-66-e9
rlm_perl: Added pair Cisco-AVPair = mdm-tlv=device-platform-version=8.0.0
rlm_perl: Added pair Cisco-AVPair = mdm-tlv=device-phone-id=GSM:865181033404965
rlm_perl: Added pair Cisco-AVPair = mdm-tlv=ac-user-agent=AnyConnect Android 4.6.00143
rlm_perl: Added pair Cisco-AVPair = mdm-tlv=device-uid=48FE3052979F54499178B9B0CB4F940BFB462365F18920AA5D715718BCAF15E9
rlm_perl: Added pair Cisco-AVPair = audit-session-id=c0a80101012ae0005b4769b5
rlm_perl: Added pair Cisco-AVPair = ip:source-ip=x.x.x.x
rlm_perl: Added pair Cisco-AVPair = coa-push=true
rlm_perl: Added pair NAS-IP-Address = z.z.z.z.
rlm_perl: Added pair Vendor-3076-Attr-150 = 0x00000002
rlm_perl: Added pair Tunnel-Client-Endpoint = x.x.x.x
rlm_perl: Added pair Calling-Station-Id = x.x.x.x
rlm_perl: Added pair User-Name = test-vpn
rlm_perl: Added pair NAS-Port-Type = Virtual
rlm_perl: Added pair User-Password = 123456a\\932684
rlm_perl: Added pair NAS-Port = 19587072
rlm_perl: Added pair Reply-Message = LinOTP server denied access!
rlm_perl: Added pair Auth-Type = perl
++[perl] = reject
+} # group authenticate = reject
Failed to authenticate the user.
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.7 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 142 to z.z.z.z. port 54015
        Reply-Message = "LinOTP server denied access!"
Waking up in 4.9 seconds.
Cleaning up request 0 ID 142 with timestamp +46
Ready to process requests.
rlm_perl: Added pair User-Name = test-vpn
rlm_perl: Added pair NAS-Port-Type = Virtual
rlm_perl: Added pair User-Password = 123456a\\932684
rlm_perl: Added pair NAS-Port = 19587072
rlm_perl: Added pair Reply-Message = LinOTP server denied access!
rlm_perl: Added pair Auth-Type = perl
++[perl] = reject
+} # group authenticate = reject
Failed to authenticate the user.

Is there  a way to see if freeradius sends the password with 2 backslashes?

Bernhard Knoll
 




More information about the Freeradius-Users mailing list