Odd behavior on authentication (w/ logs)

[Alan DeKok]

On Nov 9, 2023, at 7:16 PM, Philip Prindeville <philipp_subx at redfish-solutions.com> wrote:
> I'm not avoiding anything.  Many other lists don't like huge amounts of debug.  I was trying to be respectful.  Clearly this list has different expectations.  That's fine.  I wasn't aware.

  When you join the list, you get an email which says POST THE DEBUG OUTPUT OR PEOPLE WILL BE MAD AT YOU.

  It also says similar things in the Wiki, the "man" page, etc.  But apparently it needs to be in more places.  Where else should we put that text so that people will read it?

  I've been asking people that for 20+ years, and no one has ever replied. 

> Here's the debug.  The password received isn't remotely what I typed ("password123"):
> 
> (0) Received Access-Request Id 227 from 172.21.12.17:54545 to 172.27.44.237:1812 length 96
> (0)   User-Name = "pprindeville2"
> (0)   User-Password = "\010\n\r\177INCORRE"

  That's telling.  It's a PAM / whatever issue.  It isn't a RADIUS issue.  The password is changed somewhere on the RADIUS client, before it's sent in the RADIUS packet.

  It's usually the PAM infrastructure which is checking one source for the password, deciding that the password is wrong, and then mangling the password for all other PAM methods.

  The solution is to fix the PAM system so that it relies on RADIUS, and only on RADIUS.  Fixing the NSS configuration won't help.  That does something different.

> (0)   NAS-IP-Address = 127.0.1.1
> (0)   NAS-Identifier = "sshd"
> (0)   NAS-Port = 334707
> (0)   NAS-Port-Type = Virtual
> (0)   Service-Type = Authenticate-Only
> (0)   Calling-Station-Id = "172.21.12.3"
> 
> Also note that the NAS-IP-Address is wrong.

  The server doesn't invent the NAS-IP-Address.  It's sent by the RADIUS client.  If it's "wrong", then the client is sending the wrong thing.  Go fix the client.

  So pretty much none of this is a FreeRADIUS issue.  It's other software which is broken and lying to you.

  Alan DeKok.