Extreme Networks

kenneth_delaney · ‎10-29-2019

I have freeradius for radius server and attempting authentication from VDX-6740. When I look at the debug of freeradius (freeradius -X) I see that the VDX is not sending cleartext to freeradius but some control codes following the password which is causing authentiction to fail. In this example the cleartext password is “password” and that’s what’s being entered but several control characters are being added causing it to fail. Does anyone know how to fix this?

Ready to process requests
(2) Received Access-Request Id 231 from 192.168.86.20:28018 to 192.168.86.3:1812 length 75
(2) User-Name = "networkadmin"
(2) User-Password = "password123\000\000\000\000\021"
(2) NAS-IP-Address = 192.168.86.20
(2) NAS-Identifier = "sw0"
(2) NAS-Port = 26993
(2) NAS-Port-Type = Virtual
.

.

(2) pap: Login attempt with password
(2) pap: Comparing with "known good" Cleartext-Password
(2) pap: ERROR: Cleartext password does not match "known good" password
(2) pap: Passwords don't match
(2) [pap] = reject
(2) } # Auth-Type PAP = reject
(2) Failed to authenticate the user
(2) Using Post-Auth-Type Reject

kenneth_delaney · ‎10-30-2019

Ok, I will try that tomorrow and respond back.

Truyen_Phan · ‎10-30-2019

The easier solution is to have freeradius parse the padded 0’s by uncommenting the below.

[root@CentOS7 ~]# grep filter_password /etc/raddb/sites-enabled/default
# filter_password

Before I try your recommendation do you first recommend me using a local passwd file?
Answer: This works for me. You can try it first if you are okay with using the local passwd file.

Is this a local passwd file on the FreeRadius server--in my case the Raspberry pi?
Answer: Yes

So I would create the same vdx user account (networkadmin) on the Raspberry pi local passwd file?
Answer: Yes, same username and password

Update your /etc/raddb/users file to the below and remove (Cleartext-Password := "password123")

networkadmin Auth-Type := pap
Brocade-Auth-Role = "admin"

kenneth_delaney · ‎10-30-2019

Before I try your recommendation do you first recommend me using a local passwd file? Is this a local passwd file on the FreeRadius server--in my case the Raspberry pi? So I would create the same vdx user account (networkadmin) on the Raspberry pi local passwd file? Just want to make sure I understand what local passwd file you are speaking of.

If this gets too difficult then I’ll open a case.

Truyen_Phan · ‎10-30-2019

I'm able to see the same error if I force the authentication thru /etc/raddb/users vs local passwd file.

The padded 0’s appears to be parsed correctly when using the passwd file. I confirmed with wireshark that the VDX is padding some 0’s when sending the password.

As a workaround, can you uncomment the below line in /etc/raddb/sites-enabled/default to have freeradius remove the padded 0’s? Then, restart freeradius and try again?

[root@CentOS7 ~]# grep filter_password /etc/raddb/sites-enabled/default
# filter_password

If you don't have the above, try adding the solution from this page:

http://freeradius.1045715.n5.nabble.com/Cleartext-password-does-not-match-quot-known-good-quot-passw...

put this into raddb/sites-enabled/default, in the "authorize" section:

authorize {
        update request {
                &Tmp-String-0 := "%{string:User-Password}"
                &User-Password := "%{string:Tmp-String-0}"
        }

        ... everything else...
}

Lastly, to track a fix for this issue, can you open a case with GTAC for us to document this to get it analyzed further?

Please update the case# here once it’s open, so I can look for it to pick it up.

Extreme Networks

FreeRadius and VDX NOS cleartext password issue

FreeRadius and VDX NOS cleartext password issue