Extreme Networks

It looks like we are using slightly different versions of FreeRadius.  I’m running FreeRadius v3.0.17 on Raspberry Pi 2 Model B, Raspbian (Debian 10.1), Linux Kernel 4.19.75-v7+ .  
I was following the VDX NOS 7.3 Security Guide to configure Radius server.  Here’s some configuration items.  

Here’s some VDX Info…
sw0# sh ver

Network Operating System Software
Network Operating System Version: 7.3.0a
Copyright (c) 1995-2017 Brocade Communications Systems, Inc.
Firmware name:      7.3.0a
Build Time:         07:59:32 Sep 24, 2018
Install Time:       21:43:04 Oct 29, 2019
Kernel:             2.6.34.6

BootProm:           1.0.1
Control Processor:  e500mc with 4096 MB of memory

Slot    Name    Primary/Secondary Versions                         Status
---------------------------------------------------------------------------
SW/0    NOS     7.3.0a                                             ACTIVE*
                7.3.0a
SW/1    NOS     7.3.0a                                             STANDBY
                7.3.0a

sw0# show running-config radius-server host 192.168.86.3
radius-server host 192.168.86.3 use-vrf mgmt-vrf
 protocol pap key "VaXhc9WCy+1IwRU2ZaS2vQ==\n" encryption-level 7 timeout 10

sw0# show running-config aaa
aaa authentication login radius local-auth-fallback
aaa accounting exec default start-stop none
aaa accounting commands default start-stop none

sw0# show running-config username
username admin password "BwrsDbB+tABWGWpINOVKoQ==\n" encryption-level 7 role admin desc Administrator
username networkadmin password "QSrTWRQ4q43BkajCtwxNVw==\n" encryption-level 7 role admin
username user password "BwrsDbB+tABWGWpINOVKoQ==\n" encryption-level 7 role user desc User

Here’s FreeRadius Info…
 root@pi-radius:/usr/share/freeradius# cat dictionary.brocade

# -*- text -*-

# Copyright (C) 2015 The FreeRADIUS Server project and contributors

#

VENDOR Brocade 1588

BEGIN-VENDOR Brocade

ATTRIBUTE Brocade-Auth-Role 1 string

# Valid attribute values:

# Admin BasicSwitchAdmin FabricAdmin Operator

# SecurityAdmin SwitchAdmin User ZoneAdmin

ATTRIBUTE Brocade-AVPairs1 2 string

ATTRIBUTE Brocade-AVPairs2 3 string

ATTRIBUTE Brocade-AVPairs3 4 string

ATTRIBUTE Brocade-AVPairs4 5 string

# Brocade-AVPairs1/2/3/4:

# Optional, specifies Admin Domain or Virtual Fabric List

ATTRIBUTE Brocade-Passwd-ExpiryDate 6 string # Format: MM/DD/YYYY

ATTRIBUTE Brocade-Passwd-WarnPeriod 7 string # Format: integer in days

root@pi-radius:/usr/share/freeradius# cat /etc/freeradius/3.0/users

.

.

.

#The following is for Brocade VDX User

networkadmin Cleartext-Password := "password123"

Service-Type = Framed-User,

Brocade-Auth-Role = "admin"

root@pi-radius:/usr/share/freeradius# cat /etc/freeradius/3.0/clients.conf

.

.

.

client private-network-1 {

ipaddr = 192.168.86.0/24

secret = testing123

}

Ready to process requests

(0) Received Access-Request Id 99 from 192.168.86.20:3272 to 192.168.86.3:1812 length 75

(0) User-Name = "networkadmin"

(0) User-Password = "password123\000\000\000\000\021"

(0) NAS-IP-Address = 192.168.86.20

(0) NAS-Identifier = "sw0"

(0) NAS-Port = 2247

(0) NAS-Port-Type = Virtual

(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default

(0) authorize {

(0) policy filter_username {

(0) if (&User-Name) {

(0) if (&User-Name) -> TRUE

(0) if (&User-Name) {

(0) if (&User-Name =~ / /) {

(0) if (&User-Name =~ / /) -> FALSE

(0) if (&User-Name =~ /@[^@]*@/ ) {

(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE

(0) if (&User-Name =~ /\.\./ ) {

(0) if (&User-Name =~ /\.\./ ) -> FALSE

(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {

(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE

(0) if (&User-Name =~ /\.$/) {

(0) if (&User-Name =~ /\.$/) -> FALSE

(0) if (&User-Name =~ /@\./) {

(0) if (&User-Name =~ /@\./) -> FALSE

(0) } # if (&User-Name) = notfound

(0) } # policy filter_username = notfound

(0) [preprocess] = ok

(0) [chap] = noop

(0) [mschap] = noop

(0) [digest] = noop

(0) suffix: Checking for suffix after "@"

(0) suffix: No '@' in User-Name = "networkadmin", looking up realm NULL

(0) suffix: No such realm "NULL"

(0) [suffix] = noop

(0) eap: No EAP-Message, not doing EAP

(0) [eap] = noop

(0) files: users: Matched entry networkadmin at line 84

(0) [files] = ok

(0) [expiration] = noop

(0) [logintime] = noop

(0) [pap] = updated

(0) } # authorize = updated

(0) Found Auth-Type = PAP

(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(0) Auth-Type PAP {

(0) pap: Login attempt with password

(0) pap: Comparing with "known good" Cleartext-Password

(0) pap: ERROR: Cleartext password does not match "known good" password

(0) pap: Passwords don't match

(0) [pap] = reject

(0) } # Auth-Type PAP = reject

(0) Failed to authenticate the user

(0) Using Post-Auth-Type Reject

(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(0) Post-Auth-Type REJECT {

(0) attr_filter.access_reject: EXPAND %{User-Name}

(0) attr_filter.access_reject: --> networkadmin

(0) attr_filter.access_reject: Matched entry DEFAULT at line 11

(0) [attr_filter.access_reject] = updated

(0) [eap] = noop

(0) policy remove_reply_message_if_eap {

(0) if (&reply:EAP-Message && &reply:Reply-Message) {

(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE

(0) else {

(0) [noop] = noop

(0) } # else = noop

(0) } # policy remove_reply_message_if_eap = noop

(0) } # Post-Auth-Type REJECT = updated

(0) Delaying response for 1.000000 seconds

Waking up in 0.3 seconds.

Waking up in 0.6 seconds.

(0) Sending delayed response

(0) Sent Access-Reject Id 99 from 192.168.86.3:1812 to 192.168.86.20:3272 length 20

Waking up in 3.9 seconds.

(0) Cleaning up request packet ID 99 with timestamp +951

Ready to process requests

I tried in our lab and able to authentic without issues. 

[root@CentOS7 ~]# radiusd -X
FreeRADIUS Version 3.0.13

...

(1) Received Accounting-Request Id 247 from 10.26.143.242:13976 to 10.26.142.82:1813 length 90
(1)   User-Name = "test123"
(1)   NAS-IP-Address = 10.26.143.242
(1)   NAS-Identifier = "sw0"
(1)   Calling-Station-Id = "134.141.54.205"
(1)   NAS-Port = 12951
(1)   NAS-Port-Type = Virtual
(1)   Acct-Status-Type = Start
(1)   Acct-Session-Id = "00012951"
(1)   Acct-Authentic = RADIUS
(1) # Executing section preacct from file /etc/raddb/sites-enabled/default
(1)   preacct {
(1)     [preprocess] = ok
(1)     policy acct_unique {
(1)       update request {
(1)         &Tmp-String-9 := "ai:"
(1)       } # update request = noop
(1)       if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&       ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(1)       EXPAND %{hex:&Class}
(1)          -->
(1)       EXPAND ^%{hex:&Tmp-String-9}
(1)          --> ^61693a
(1)       if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&       ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i))  -> FALSE
(1)       else {
(1)         update request {
(1)           EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(1)              --> 671d2208a23a54a3debe9733f362a5b2
(1)           &Acct-Unique-Session-Id := 671d2208a23a54a3debe9733f362a5b2
(1)         } # update request = noop
(1)       } # else = noop
(1)     } # policy acct_unique = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "test123", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1)     [files] = noop
(1)   } # preacct = ok
(1) # Executing section accounting from file /etc/raddb/sites-enabled/default
(1)   accounting {
(1) detail: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(1) detail:    --> /var/log/radius/radacct/10.26.143.242/detail-20191029
(1) detail: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/10.26.143.242/detail-20191029
(1) detail: EXPAND %t
(1) detail:    --> Tue Oct 29 11:58:24 2019
(1)     [detail] = ok
(1)     [unix] = ok
(1)     [exec] = noop
(1) attr_filter.accounting_response: EXPAND %{User-Name}
(1) attr_filter.accounting_response:    --> test123
(1) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(1)     [attr_filter.accounting_response] = updated
(1)   } # accounting = updated
(1) Sent Accounting-Response Id 247 from 10.26.142.82:1813 to 10.26.143.242:13976 length 0
(1) Finished request

Also,  please confirm that you have the dictionary files configured and attribute roles set. 

[root@CentOS7 ~]# cat /etc/raddb/dictionary | grep brocade
$INCLUDE dictionary.brocade

[root@CentOS7 ~]# cat /etc/raddb/dictionary.brocade
#
# dictionary.brocade
#
VENDOR Brocade 1588
#
# attributes
#
ATTRIBUTE Brocade-Auth-Role 1 string Brocade

[root@CentOS7 ~]# cat /etc/raddb/users
...

test123 Auth-Type := pap
        Brocade-Auth-Role = "admin"

NOS 7.3.0a

This is first time, new setup

One VDX currently, 6740

I have redone the radius host configuration a few times and re-added it

I’ll have to check if the same characters are added each time...I’ll create another user with admin role and different password and see if there’s a difference

It’s only the VDX that appends these characters to cleartext passwords.  If I use test clients like linux raddtest or simple radius tool on Android device with same account there’s no issue.

Ken

Hello Kenneth,

• Which NOS version are you running? 
• Has this worked before or new setup?
• Do you have mutliple VDX in your VCS? If so, do you see this on other VDX too?
• Have you tried removing the radius host configuration on the VDX, and re-add it? 
• Does it always append the same characters to all passwords?

We may need a packet capture from the VDX management interface to confirm that the VDX is adding these characters when it’s leaving the switch.