Question

FreeRadius and VDX NOS cleartext password issue

  • 29 October 2019
  • 9 replies
  • 1750 views

I have freeradius for radius server and attempting authentication from VDX-6740.  When I look at the debug of freeradius (freeradius -X) I see that the VDX is not sending cleartext to freeradius but some control codes following the password which is causing authentiction to fail.  In this example the cleartext password is “password” and that’s what’s being entered but several control characters are being added causing it to fail.  Does anyone know how to fix this?

Ready to process requests
(2) Received Access-Request Id 231 from 192.168.86.20:28018 to 192.168.86.3:1812 length 75
(2)   User-Name = "networkadmin"
(2)   User-Password = "password123\000\000\000\000\021"
(2)   NAS-IP-Address = 192.168.86.20
(2)   NAS-Identifier = "sw0"
(2)   NAS-Port = 26993
(2)   NAS-Port-Type = Virtual
.

.

.

(2) pap: Login attempt with password
(2) pap: Comparing with "known good" Cleartext-Password
(2) pap: ERROR: Cleartext password does not match "known good" password
(2) pap: Passwords don't match
(2)     [pap] = reject
(2)   } # Auth-Type PAP = reject
(2) Failed to authenticate the user
(2) Using Post-Auth-Type Reject
 

 


 

 

 

 


9 replies

Userlevel 3

Hello Kenneth,

  • Which NOS version are you running? 
  • Has this worked before or new setup?
  • Do you have mutliple VDX in your VCS? If so, do you see this on other VDX too?
  • Have you tried removing the radius host configuration on the VDX, and re-add it? 
  • Does it always append the same characters to all passwords?

We may need a packet capture from the VDX management interface to confirm that the VDX is adding these characters when it’s leaving the switch. 

NOS 7.3.0a

This is first time, new setup

One VDX currently, 6740

I have redone the radius host configuration a few times and re-added it

I’ll have to check if the same characters are added each time...I’ll create another user with admin role and different password and see if there’s a difference

It’s only the VDX that appends these characters to cleartext passwords.  If I use test clients like linux raddtest or simple radius tool on Android device with same account there’s no issue.

 

Ken

 

 

Userlevel 3

I tried in our lab and able to authentic without issues. 

[root@CentOS7 ~]# radiusd -X
FreeRADIUS Version 3.0.13

...

(1) Received Accounting-Request Id 247 from 10.26.143.242:13976 to 10.26.142.82:1813 length 90
(1) User-Name = "test123"
(1) NAS-IP-Address = 10.26.143.242
(1) NAS-Identifier = "sw0"
(1) Calling-Station-Id = "134.141.54.205"
(1) NAS-Port = 12951
(1) NAS-Port-Type = Virtual
(1) Acct-Status-Type = Start
(1) Acct-Session-Id = "00012951"
(1) Acct-Authentic = RADIUS
(1) # Executing section preacct from file /etc/raddb/sites-enabled/default
(1) preacct {
(1) [preprocess] = ok
(1) policy acct_unique {
(1) update request {
(1) &Tmp-String-9 := "ai:"
(1) } # update request = noop
(1) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(1) EXPAND %{hex:&Class}
(1) -->
(1) EXPAND ^%{hex:&Tmp-String-9}
(1) --> ^61693a
(1) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(1) else {
(1) update request {
(1) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(1) --> 671d2208a23a54a3debe9733f362a5b2
(1) &Acct-Unique-Session-Id := 671d2208a23a54a3debe9733f362a5b2
(1) } # update request = noop
(1) } # else = noop
(1) } # policy acct_unique = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "test123", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) [files] = noop
(1) } # preacct = ok
(1) # Executing section accounting from file /etc/raddb/sites-enabled/default
(1) accounting {
(1) detail: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(1) detail: --> /var/log/radius/radacct/10.26.143.242/detail-20191029
(1) detail: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/10.26.143.242/detail-20191029
(1) detail: EXPAND %t
(1) detail: --> Tue Oct 29 11:58:24 2019
(1) [detail] = ok
(1) [unix] = ok
(1) [exec] = noop
(1) attr_filter.accounting_response: EXPAND %{User-Name}
(1) attr_filter.accounting_response: --> test123
(1) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(1) [attr_filter.accounting_response] = updated
(1) } # accounting = updated
(1) Sent Accounting-Response Id 247 from 10.26.142.82:1813 to 10.26.143.242:13976 length 0
(1) Finished request

 

Also,  please confirm that you have the dictionary files configured and attribute roles set. 

[root@CentOS7 ~]# cat /etc/raddb/dictionary | grep brocade
$INCLUDE dictionary.brocade

[root@CentOS7 ~]# cat /etc/raddb/dictionary.brocade
#
# dictionary.brocade
#
VENDOR Brocade 1588
#
# attributes
#
ATTRIBUTE Brocade-Auth-Role 1 string Brocade

[root@CentOS7 ~]# cat /etc/raddb/users
...

test123 Auth-Type := pap
Brocade-Auth-Role = "admin"

 

It looks like we are using slightly different versions of FreeRadius.  I’m running FreeRadius v3.0.17 on Raspberry Pi 2 Model B, Raspbian (Debian 10.1), Linux Kernel 4.19.75-v7+ .  
I was following the VDX NOS 7.3 Security Guide to configure Radius server.  Here’s some configuration items.  

Here’s some VDX Info…
sw0# sh ver

Network Operating System Software
Network Operating System Version: 7.3.0a
Copyright (c) 1995-2017 Brocade Communications Systems, Inc.
Firmware name:      7.3.0a
Build Time:         07:59:32 Sep 24, 2018
Install Time:       21:43:04 Oct 29, 2019
Kernel:             2.6.34.6

BootProm:           1.0.1
Control Processor:  e500mc with 4096 MB of memory

Slot    Name    Primary/Secondary Versions                         Status
---------------------------------------------------------------------------
SW/0    NOS     7.3.0a                                             ACTIVE*
                7.3.0a
SW/1    NOS     7.3.0a                                             STANDBY
                7.3.0a


sw0# show running-config radius-server host 192.168.86.3
radius-server host 192.168.86.3 use-vrf mgmt-vrf
 protocol pap key "VaXhc9WCy+1IwRU2ZaS2vQ==\n" encryption-level 7 timeout 10

sw0# show running-config aaa
aaa authentication login radius local-auth-fallback
aaa accounting exec default start-stop none
aaa accounting commands default start-stop none

sw0# show running-config username
username admin password "BwrsDbB+tABWGWpINOVKoQ==\n" encryption-level 7 role admin desc Administrator
username networkadmin password "QSrTWRQ4q43BkajCtwxNVw==\n" encryption-level 7 role admin
username user password "BwrsDbB+tABWGWpINOVKoQ==\n" encryption-level 7 role user desc User

Here’s FreeRadius Info…
 root@pi-radius:/usr/share/freeradius# cat dictionary.brocade

# -*- text -*-

# Copyright (C) 2015 The FreeRADIUS Server project and contributors

#

VENDOR Brocade 1588

BEGIN-VENDOR Brocade

ATTRIBUTE Brocade-Auth-Role 1 string

# Valid attribute values:

# Admin BasicSwitchAdmin FabricAdmin Operator

# SecurityAdmin SwitchAdmin User ZoneAdmin

ATTRIBUTE Brocade-AVPairs1 2 string

ATTRIBUTE Brocade-AVPairs2 3 string

ATTRIBUTE Brocade-AVPairs3 4 string

ATTRIBUTE Brocade-AVPairs4 5 string

# Brocade-AVPairs1/2/3/4:

# Optional, specifies Admin Domain or Virtual Fabric List

ATTRIBUTE Brocade-Passwd-ExpiryDate 6 string # Format: MM/DD/YYYY

ATTRIBUTE Brocade-Passwd-WarnPeriod 7 string # Format: integer in days

root@pi-radius:/usr/share/freeradius# cat /etc/freeradius/3.0/users

.

.

.

#The following is for Brocade VDX User

networkadmin Cleartext-Password := "password123"

Service-Type = Framed-User,

Brocade-Auth-Role = "admin"

root@pi-radius:/usr/share/freeradius# cat /etc/freeradius/3.0/clients.conf

.

.

.

client private-network-1 {

ipaddr = 192.168.86.0/24

secret = testing123

}

Ready to process requests

(0) Received Access-Request Id 99 from 192.168.86.20:3272 to 192.168.86.3:1812 length 75

(0) User-Name = "networkadmin"

(0) User-Password = "password123\000\000\000\000\021"

(0) NAS-IP-Address = 192.168.86.20

(0) NAS-Identifier = "sw0"

(0) NAS-Port = 2247

(0) NAS-Port-Type = Virtual

(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default

(0) authorize {

(0) policy filter_username {

(0) if (&User-Name) {

(0) if (&User-Name) -> TRUE

(0) if (&User-Name) {

(0) if (&User-Name =~ / /) {

(0) if (&User-Name =~ / /) -> FALSE

(0) if (&User-Name =~ /@[^@]*@/ ) {

(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE

(0) if (&User-Name =~ /\.\./ ) {

(0) if (&User-Name =~ /\.\./ ) -> FALSE

(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {

(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE

(0) if (&User-Name =~ /\.$/) {

(0) if (&User-Name =~ /\.$/) -> FALSE

(0) if (&User-Name =~ /@\./) {

(0) if (&User-Name =~ /@\./) -> FALSE

(0) } # if (&User-Name) = notfound

(0) } # policy filter_username = notfound

(0) [preprocess] = ok

(0) [chap] = noop

(0) [mschap] = noop

(0) [digest] = noop

(0) suffix: Checking for suffix after "@"

(0) suffix: No '@' in User-Name = "networkadmin", looking up realm NULL

(0) suffix: No such realm "NULL"

(0) [suffix] = noop

(0) eap: No EAP-Message, not doing EAP

(0) [eap] = noop

(0) files: users: Matched entry networkadmin at line 84

(0) [files] = ok

(0) [expiration] = noop

(0) [logintime] = noop

(0) [pap] = updated

(0) } # authorize = updated

(0) Found Auth-Type = PAP

(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(0) Auth-Type PAP {

(0) pap: Login attempt with password

(0) pap: Comparing with "known good" Cleartext-Password

(0) pap: ERROR: Cleartext password does not match "known good" password

(0) pap: Passwords don't match

(0) [pap] = reject

(0) } # Auth-Type PAP = reject

(0) Failed to authenticate the user

(0) Using Post-Auth-Type Reject

(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(0) Post-Auth-Type REJECT {

(0) attr_filter.access_reject: EXPAND %{User-Name}

(0) attr_filter.access_reject: --> networkadmin

(0) attr_filter.access_reject: Matched entry DEFAULT at line 11

(0) [attr_filter.access_reject] = updated

(0) [eap] = noop

(0) policy remove_reply_message_if_eap {

(0) if (&reply:EAP-Message && &reply:Reply-Message) {

(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE

(0) else {

(0) [noop] = noop

(0) } # else = noop

(0) } # policy remove_reply_message_if_eap = noop

(0) } # Post-Auth-Type REJECT = updated

(0) Delaying response for 1.000000 seconds

Waking up in 0.3 seconds.

Waking up in 0.6 seconds.

(0) Sending delayed response

(0) Sent Access-Reject Id 99 from 192.168.86.3:1812 to 192.168.86.20:3272 length 20

Waking up in 3.9 seconds.

(0) Cleaning up request packet ID 99 with timestamp +951

Ready to process requests


 

 

 

Here’s a tcpdump of the conversation between the VDX (.20) and the FreeRadius Server (.3)

 

radius-conv2.pcap 2 total packets, 2 shown

No. Time Source Destination Protocol Length Info
1 0.000000 192.168.86.20 192.168.86.3 RADIUS 117 Access-Request id=156
Frame 1: 117 bytes on wire (936 bits), 117 bytes captured (936 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Oct 29, 2019 18:35:41.092892000 Eastern Daylight Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1572388541.092892000 seconds
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 117 bytes (936 bits)
Capture Length: 117 bytes (936 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:udp:radius]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: BrocadeC_02:8e:0f (50:eb:1a:02:8e:0f), Dst: EdimaxTe_7e:90:d1 (80:1f:02:7e:90:d1)
Destination: EdimaxTe_7e:90:d1 (80:1f:02:7e:90:d1)
Address: EdimaxTe_7e:90:d1 (80:1f:02:7e:90:d1)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: BrocadeC_02:8e:0f (50:eb:1a:02:8e:0f)
Address: BrocadeC_02:8e:0f (50:eb:1a:02:8e:0f)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.86.20, Dst: 192.168.86.3
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 103
Identification: 0x0000 (0)
Flags: 0x4000, Don't fragment
0... .... .... .... = Reserved bit: Not set
.1.. .... .... .... = Don't fragment: Set
..0. .... .... .... = More fragments: Not set
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 64
Protocol: UDP (17)
Header checksum: 0x0d1e [validation disabled]
[Header checksum status: Unverified]
Source: 192.168.86.20
Destination: 192.168.86.3
User Datagram Protocol, Src Port: 8507, Dst Port: 1812
Source Port: 8507
Destination Port: 1812
Length: 83
Checksum: 0x2c17 [unverified]
[Checksum Status: Unverified]
[Stream index: 0]
[Timestamps]
[Time since first frame: 0.000000000 seconds]
[Time since previous frame: 0.000000000 seconds]
RADIUS Protocol
Code: Access-Request (1)
Packet identifier: 0x9c (156)
Length: 75
Authenticator: 9a4717419852e2d7582199745c94b9f6
[The response to this request is in frame 2]
Attribute Value Pairs
AVP: t=User-Name(1) l=14 val=networkadmin
Type: 1
Length: 14
User-Name: networkadmin
AVP: t=User-Password(2) l=18 val=Encrypted
Type: 2
Length: 18
User-Password (encrypted): cd12d9b6b9e12234d8b7ccbd16444fd9
AVP: t=NAS-IP-Address(4) l=6 val=192.168.86.20
Type: 4
Length: 6
NAS-IP-Address: 192.168.86.20
AVP: t=NAS-Identifier(32) l=5 val=sw0
Type: 32
Length: 5
NAS-Identifier: sw0
AVP: t=NAS-Port(5) l=6 val=7482
Type: 5
Length: 6

NAS-Port: 7482
AVP: t=NAS-Port-Type(61) l=6 val=Virtual(5)
Type: 61
Length: 6
NAS-Port-Type: Virtual (5)
No. Time Source Destination Protocol Length Info


2 1.004392 192.168.86.3 192.168.86.20 RADIUS 62 Access-Reject id=156
Frame 2: 62 bytes on wire (496 bits), 62 bytes captured (496 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Oct 29, 2019 18:35:42.097284000 Eastern Daylight Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1572388542.097284000 seconds
[Time delta from previous captured frame: 1.004392000 seconds]
[Time delta from previous displayed frame: 1.004392000 seconds]
[Time since reference or first frame: 1.004392000 seconds]
Frame Number: 2
Frame Length: 62 bytes (496 bits)
Capture Length: 62 bytes (496 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:udp:radius]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: EdimaxTe_7e:90:d1 (80:1f:02:7e:90:d1), Dst: BrocadeC_02:8e:0f (50:eb:1a:02:8e:0f)
Destination: BrocadeC_02:8e:0f (50:eb:1a:02:8e:0f)
Address: BrocadeC_02:8e:0f (50:eb:1a:02:8e:0f)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: EdimaxTe_7e:90:d1 (80:1f:02:7e:90:d1)
Address: EdimaxTe_7e:90:d1 (80:1f:02:7e:90:d1)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.86.3, Dst: 192.168.86.20
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 48
Identification: 0xdd16 (56598)
Flags: 0x0000
0... .... .... .... = Reserved bit: Not set
.0.. .... .... .... = Don't fragment: Not set
..0. .... .... .... = More fragments: Not set
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 64
Protocol: UDP (17)
Header checksum: 0x703e [validation disabled]
[Header checksum status: Unverified]
Source: 192.168.86.3
Destination: 192.168.86.20
User Datagram Protocol, Src Port: 1812, Dst Port: 8507
Source Port: 1812
Destination Port: 8507
Length: 28
Checksum: 0x8602 [unverified]
[Checksum Status: Unverified]
[Stream index: 0]
[Timestamps]
[Time since first frame: 1.004392000 seconds]
[Time since previous frame: 1.004392000 seconds]
RADIUS Protocol
Code: Access-Reject (3)
Packet identifier: 0x9c (156)
Length: 20
Authenticator: f7506bec99992303a263abb558345a24
[This is a response to a request in frame 1]
[Time from request: 1.004392000 seconds]

 

Userlevel 3

I'm able to see the same error if I force the authentication thru /etc/raddb/users vs local passwd file. 

The padded 0’s appears to be parsed correctly when using the passwd file. I confirmed with wireshark that the VDX is padding some 0’s when sending the password. 

As a workaround, can you uncomment the below line in /etc/raddb/sites-enabled/default to have freeradius remove the padded 0’s? Then, restart freeradius and try again? 

[root@CentOS7 ~]# grep filter_password /etc/raddb/sites-enabled/default
#       filter_password
 

If you don't have the above, try adding the solution from this page:

http://freeradius.1045715.n5.nabble.com/Cleartext-password-does-not-match-quot-known-good-quot-password-td5738098.html

 

put this into raddb/sites-enabled/default, in the "authorize" section:

authorize {
update request {
&Tmp-String-0 := "%{string:User-Password}"
&User-Password := "%{string:Tmp-String-0}"
}

... everything else...
}

 

Lastly, to track a fix for this issue, can you open a case with GTAC for us to document this to get it analyzed further? 

 

Please update the case# here once it’s open, so I can look for it to pick it up. 

Before I try your recommendation do you first recommend me using a local passwd file?  Is this a local passwd file on the FreeRadius server--in my case the Raspberry pi?  So I would create the same vdx user account (networkadmin) on the Raspberry pi local passwd file?  Just want to make sure I understand what local passwd file you are speaking of.

If this gets too difficult then I’ll open a case.

Userlevel 3

The easier solution is to have freeradius parse the padded 0’s by uncommenting the below.

 

[root@CentOS7 ~]# grep filter_password /etc/raddb/sites-enabled/default
#       filter_password

 

Before I try your recommendation do you first recommend me using a local passwd file?
Answer: This works for me. You can try it first if you are okay with using the local passwd file. 

Is this a local passwd file on the FreeRadius server--in my case the Raspberry pi?
Answer: Yes

So I would create the same vdx user account (networkadmin) on the Raspberry pi local passwd file?
Answer: Yes, same username and password

Update your /etc/raddb/users file to the below and remove (Cleartext-Password := "password123")

networkadmin Auth-Type := pap
        Brocade-Auth-Role = "admin"

Ok, I will try that tomorrow and respond back.

Reply