This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

FreeRadius rejecting with ERROR: Cleartext password does not match "known good" pa

FreeRadius rejecting with ERROR: Cleartext password does not match "known good" pa

Go to solution
PKJohns
New Contributor

‎02-22-2024 10:40 AM

Hi,

I am trying to configure Freeradius with my ongoing project for Authentication, and It seems being rejected always with a bad password.

I have checked all my config, and all looks ok. 

Feb 22 17:26:28 vga679yr radiusd[497648]: (7) Received Access-Request Id 71 from 47.73.0.36:18132 to 47.73.209.137:1812 length 480
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) User-Name = "test"
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) 3GPP-IMEISV = "9900046115183800"
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) 3GPP-IMSI = "204047168954296"
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) Called-Station-Id = "catm.c.octo.com"
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) Calling-Station-Id = "204047168954296"
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) 3GPP-PDP-Type = 0
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) Acct-Status-Type = Start
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) Acct-Delay-Time = 100
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) Acct-Session-Id = "204047168954296"
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) 3GPP-Charging-ID = 547424000
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) 3GPP-RAT-Type = UTRAN
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) NAS-IP-Address = 47.73.209.137
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) NAS-Identifier = "Localhost"
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) NAS-Port = 0
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) 3GPP-IMSI-MCC-MNC = "12345"
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) 3GPP-NSAPI = "7"
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) NAS-Port-Type = Wireless-Other
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) User-Password = "\024*×·Ã\256\355\341\255\346$ "
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) 3GPP-GGSN-Address = 158.234.62.27
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) Proxy-State = 0x726665000006000521ddcee7fa110600000000000000000002002c8c2f49d18900000000000000000000000047869a46aeb5681faf3677ec90863f2b96010400000000000000
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) Proxy-State = 0x7262650039e1cee7fa110600000000000000000043000000b8df056f94b90000b8df056f94b90000b89cf41b0a2c2300100007a12000000000000000000000000000000002002c8c2f49d1890000000000000000630100004701869a46aeb5681faf3677ec90863f2b961d00000000000000000000000000746573740000000000000000000000000000000000000000000000000000000000000000010000
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) # Executing section authorize from file /etc/raddb/sites-enabled/default
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) authorize {
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) policy filter_username {
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) if (&User-Name) {
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) if (&User-Name) -> TRUE
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) if (&User-Name) {
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) if (&User-Name =~ / /) {
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) if (&User-Name =~ / /) -> FALSE
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) if (&User-Name =~ /@[^@]*@/ ) {
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) if (&User-Name =~ /\.\./ ) {
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) if (&User-Name =~ /\.\./ ) -> FALSE
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) if (&User-Name =~ /\.$/) {
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) if (&User-Name =~ /\.$/) -> FALSE
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) if (&User-Name =~ /@\./) {
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) if (&User-Name =~ /@\./) -> FALSE
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) } # if (&User-Name) = notfound
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) } # policy filter_username = notfound
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) [preprocess] = ok
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) [chap] = noop
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) [mschap] = noop
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) [digest] = noop
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) suffix: Checking for suffix after "@"
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) suffix: No '@' in User-Name = "test", looking up realm NULL
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) suffix: No such realm "NULL"
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) [suffix] = noop
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) eap: No EAP-Message, not doing EAP
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) [eap] = noop
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) files: users: Matched entry test at line 74
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) [files] = ok
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) [expiration] = noop
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) [logintime] = noop
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) [pap] = updated
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) } # authorize = updated
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) Found Auth-Type = PAP
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) # Executing group from file /etc/raddb/sites-enabled/default
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) Auth-Type PAP {
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) pap: Login attempt with password
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) pap: Comparing with "known good" Cleartext-Password
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) pap: ERROR: Cleartext password does not match "known good" password
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) pap: Passwords don't match
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) [pap] = reject
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) } # Auth-Type PAP = reject
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) Failed to authenticate the user
Feb 22 17:26:28 vga679yr radiusd[497648]: (7) WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!

 

 

In the Authorise file, I have 

test Cleartext-Password := "radiussecret1"
Service-Type = Framed-User,
Framed-Protocol = PPP

In client.conf I have set it as the correct secret

#radius fe
client radfe_ipv4 {
        ipaddr  = 47.73.0.36
        secret  = radiussecret1
}

 

In the default file, I have also commented below the line

#       filter_password

 

I don't know how Freeradius prints the encrypted password, but it looks like this.

User-Password = "\024*×·Ã\256\355\341\255\346$ "

 

Please help if someone has any ideas. Maybe we need to modify PDUs accordingly to pass the desired encrypted password.

 

I appreciate any help you can provide.

 

 

 

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Michael_Morey
Extreme Employee

‎02-23-2024 06:07 AM

Is the auth attempt being sent via a VDX?  I am not sure if you have the correct forum.

Michael Morey
Principal Technical Support Engineer
Extreme Networks

View solution in original post

0 Kudos
1 REPLY 1

Go to solution
Michael_Morey
Extreme Employee

‎02-23-2024 06:07 AM

Is the auth attempt being sent via a VDX?  I am not sure if you have the correct forum.

Michael Morey
Principal Technical Support Engineer
Extreme Networks
0 Kudos
GTM-P2G8KFN