cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

FreeRadius and VDX NOS cleartext password issue

FreeRadius and VDX NOS cleartext password issue

kenneth_delaney
New Contributor

I have freeradius for radius server and attempting authentication from VDX-6740.  When I look at the debug of freeradius (freeradius -X) I see that the VDX is not sending cleartext to freeradius but some control codes following the password which is causing authentiction to fail.  In this example the cleartext password is ā€œpasswordā€ and that’s what’s being entered but several control characters are being added causing it to fail.  Does anyone know how to fix this?

Ready to process requests
(2) Received Access-Request Id 231 from 192.168.86.20:28018 to 192.168.86.3:1812 length 75
(2)   User-Name = "networkadmin"
(2)   User-Password = "password123\000\000\000\000\021"
(2)   NAS-IP-Address = 192.168.86.20
(2)   NAS-Identifier = "sw0"
(2)   NAS-Port = 26993
(2)   NAS-Port-Type = Virtual
.

.

.

(2) pap: Login attempt with password
(2) pap: Comparing with "known good" Cleartext-Password
(2) pap: ERROR: Cleartext password does not match "known good" password
(2) pap: Passwords don't match
(2)     [pap] = reject
(2)   } # Auth-Type PAP = reject
(2) Failed to authenticate the user
(2) Using Post-Auth-Type Reject
 

 


 

 

 

 

9 REPLIES 9

kenneth_delaney
New Contributor

Ok, I will try that tomorrow and respond back.

Truyen_Phan
Extreme Employee

The easier solution is to have freeradius parse the padded 0’s by uncommenting the below.

 

[root@CentOS7 ~]# grep filter_password /etc/raddb/sites-enabled/default
#       filter_password

 

Before I try your recommendation do you first recommend me using a local passwd file?
Answer: This works for me. You can try it first if you are okay with using the local passwd file. 

Is this a local passwd file on the FreeRadius server--in my case the Raspberry pi?
Answer: Yes

So I would create the same vdx user account (networkadmin) on the Raspberry pi local passwd file?
Answer: Yes, same username and password

Update your /etc/raddb/users file to the below and remove (Cleartext-Password := "password123")

networkadmin Auth-Type := pap
        Brocade-Auth-Role = "admin"

kenneth_delaney
New Contributor

Before I try your recommendation do you first recommend me using a local passwd file?  Is this a local passwd file on the FreeRadius server--in my case the Raspberry pi?  So I would create the same vdx user account (networkadmin) on the Raspberry pi local passwd file?  Just want to make sure I understand what local passwd file you are speaking of.

If this gets too difficult then I’ll open a case.

Truyen_Phan
Extreme Employee

I'm able to see the same error if I force the authentication thru /etc/raddb/users vs local passwd file. 

The padded 0’s appears to be parsed correctly when using the passwd file. I confirmed with wireshark that the VDX is padding some 0’s when sending the password. 

As a workaround, can you uncomment the below line in /etc/raddb/sites-enabled/default to have freeradius remove the padded 0’s? Then, restart freeradius and try again? 

[root@CentOS7 ~]# grep filter_password /etc/raddb/sites-enabled/default
#       filter_password
 

If you don't have the above, try adding the solution from this page:

http://freeradius.1045715.n5.nabble.com/Cleartext-password-does-not-match-quot-known-good-quot-passw...

 

put this into raddb/sites-enabled/default, in the "authorize" section:

authorize {
update request {
&Tmp-String-0 := "%{string:User-Password}"
&User-Password := "%{string:Tmp-String-0}"
}

... everything else...
}

 

Lastly, to track a fix for this issue, can you open a case with GTAC for us to document this to get it analyzed further? 

 

Please update the case# here once it’s open, so I can look for it to pick it up. 

GTM-P2G8KFN