Freeradius: Unprintable characters in the password

aeg · October 30, 2017, 1:09pm

Hello everyone!

I’m failing make VyOS 1.1.7 authorize CLI users in FreeRADIUS 3.0.15.
I’ve found posts on the forum saying that it is possible I’m but not sure how.

The issue itself is in the fact that FreeRADIUS is not able to decode the incoming User-Password AVP.
The password 1qazXSW@ is encoded as below in radiusd -X debug logs:

And in tshark:

AVP: l=18 t=User-Password(2): Encrypted AVP Type: 2 AVP Length: 18 User-Password (encrypted): 5de414c0b637273fc2cc5cd36ffe4d54

FreeRADIUS gives pretty clear explanation in logs:
i WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS![/i]

The secrets are equal of course…

VyOS configuration:

aeg@VyOS-1-1# show system login radius-server radius-server 10.0.0.56 { secret 12345678 }
FreeRADIUS configuration:

client vyos-1-1 { ipaddr = 10.0.0.57 secret = 12345678 require_message_authenticator = no nas_type = other limit { max_connections = 5 lifetime = 0 idle_timeout = 30 } }
No spaces left after the last secret digit

The main reason why I’m here, rather than on FreeRADIUS forum is that wireshark also decodes the AVP as “\010\n\r\177INCORRECT” when I specify the secret.

Does anyone have an idea what else I should check?

syncer · November 3, 2017, 8:03pm

That is likely bug,
all that part with remote user sources is due to rewrite

aeg · November 4, 2017, 8:23am

Noted, thank you for the reply.

syncer · November 4, 2017, 1:04pm

If you interested,
please join us on https://phabricator.vyos.net
Here is particular task - ⚓ T141 TACACS+ Support
All input is welcome

aeg · November 6, 2017, 7:14pm

Spent two days for it, but finally I know the reason.
pam_radius library can’t correctly encrypt the password when there is no user defined in system (/etc/passwd).

[code]aeg@VyOS-1-1# grep tester /etc/passwd
tester:x:1002:100::/home/tester:/bin/vbash

aeg@VyOS-1-1# show system login user tester
authentication {
encrypted-password !
plaintext-password “”
}[/code]
Once the user is defined - the password is encrypted correctly.

code Received Access-Request Id 199 from 10.0.0.57:7708 to 10.0.0.56:1812 length 88
(1) User-Name = “tester”
(1) User-Password = “qwe”
(1) NAS-IP-Address = 127.0.1.1
(1) NAS-Identifier = “sshd”[/code]

It looks like we only can change it by changing pam_radius library somehow.