FreeRadius rejecting with ERROR: Cleartext password does not match "known good" pa

PKJohns — Thu, 22 Feb 2024 18:40:45 GMT

Hi,

I am trying to configure Freeradius with my ongoing project for Authentication, and It seems being rejected always with a bad password.

I have checked all my config, and all looks ok.

Feb 22 17:26:28 vga679yr radiusd[497648]: (7) Received Access-Request Id 71 from 47.73.0.36:18132 to 47.73.209.137:1812 length 480
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) User-Name = "test"
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) 3GPP-IMEISV = "9900046115183800"
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) 3GPP-IMSI = "204047168954296"
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) Called-Station-Id = "catm.c.octo.com"
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) Calling-Station-Id = "204047168954296"
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) 3GPP-PDP-Type = 0
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) Acct-Status-Type = Start
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) Acct-Delay-Time = 100
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) Acct-Session-Id = "204047168954296"
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) 3GPP-Charging-ID = 547424000
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) 3GPP-RAT-Type = UTRAN
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) NAS-IP-Address = 47.73.209.137
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) NAS-Identifier = "Localhost"
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) NAS-Port = 0
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) 3GPP-IMSI-MCC-MNC = "12345"
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) 3GPP-NSAPI = "7"
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) NAS-Port-Type = Wireless-Other
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) User-Password = "\024*×·Ã\256\355\341\255\346$ "
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) 3GPP-GGSN-Address = 158.234.62.27
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) Proxy-State = 0x726665000006000521ddcee7fa110600000000000000000002002c8c2f49d18900000000000000000000000047869a46aeb5681faf3677ec90863f2b96010400000000000000
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) Proxy-State = 0x7262650039e1cee7fa110600000000000000000043000000b8df056f94b90000b8df056f94b90000b89cf41b0a2c2300100007a12000000000000000000000000000000002002c8c2f49d1890000000000000000630100004701869a46aeb5681faf3677ec90863f2b961d00000000000000000000000000746573740000000000000000000000000000000000000000000000000000000000000000010000
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) # Executing section authorize from file /etc/raddb/sites-enabled/default
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) authorize {
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) policy filter_username {
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) if (&User-Name) {
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) if (&User-Name) -> TRUE
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) if (&User-Name) {
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) if (&User-Name =~ / /) {
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) if (&User-Name =~ / /) -> FALSE
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) if (&User-Name =~ /@[^@]*@/ ) {
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) if (&User-Name =~ /\.\./ ) {
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) if (&User-Name =~ /\.\./ ) -> FALSE
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) if (&User-Name =~ /\.$/) {
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) if (&User-Name =~ /\.$/) -> FALSE
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) if (&User-Name =~ /@\./) {
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) if (&User-Name =~ /@\./) -> FALSE
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) } # if (&User-Name) = notfound
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) } # policy filter_username = notfound
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) [preprocess] = ok
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) [chap] = noop
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) [mschap] = noop
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) [digest] = noop
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) suffix: Checking for suffix after "@"
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) suffix: No '@' in User-Name = "test", looking up realm NULL
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) suffix: No such realm "NULL"
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) [suffix] = noop
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) eap: No EAP-Message, not doing EAP
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) [eap] = noop
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) files: users: Matched entry test at line 74
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) [files] = ok
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) [expiration] = noop
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) [logintime] = noop
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) [pap] = updated
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) } # authorize = updated
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) Found Auth-Type = PAP
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) # Executing group from file /etc/raddb/sites-enabled/default
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) Auth-Type PAP {
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) pap: Login attempt with password
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) pap: Comparing with "known good" Cleartext-Password
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) pap: ERROR: Cleartext password does not match "known good" password
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) pap: Passwords don't match
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) [pap] = reject
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) } # Auth-Type PAP = reject
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) Failed to authenticate the user
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!

In the Authorise file, I have

test Cleartext-Password := "radiussecret1"
Service-Type = Framed-User,
Framed-Protocol = PPP

In client.conf I have set it as the correct secret

#radius fe
client radfe_ipv4 {
ipaddr = 47.73.0.36
secret = radiussecret1
}

In the default file, I have also commented below the line

# filter_password

I don't know how Freeradius prints the encrypted password, but it looks like this.

User-Password = "\024*×·Ã\256\355\341\255\346$ "

Please help if someone has any ideas. Maybe we need to modify PDUs accordingly to pass the desired encrypted password.

I appreciate any help you can provide.

Re: FreeRadius rejecting with ERROR: Cleartext password does not match "known good" pa

Michael_Morey — Fri, 23 Feb 2024 14:07:49 GMT

Is the auth attempt being sent via a VDX? I am not sure if you have the correct forum.

topic FreeRadius rejecting with ERROR: Cleartext password does not match "known good" pa in Data Center (VDX)

FreeRadius rejecting with ERROR: Cleartext password does not match "known good" pa

Re: FreeRadius rejecting with ERROR: Cleartext password does not match "known good" pa