[defect]: Can authetificate from radius itself but can`t from any other sourse (cisco router)

[rovshan91]

What type of defect/bug is this?

Crash or memory corruption (segv, abort, etc...)

How can the issue be reproduced?

Hello , i have very strange problem, I can authetificate from radius itself but can`t from any other sourse (cisco router) by same user

I`m using radius taking base from sql

Log output from the FreeRADIUS daemon

Authentificate from router 

(0) Received Access-Request Id 22 from 10.10.81.254:1645 to 10.10.81.31:1812 length 71
(0)   User-Name = "rovshan"
(0)   User-Password = "\254\323c\253\360\214\315g\321\3035 :4\314\""
(0)   NAS-Port = 2
(0)   NAS-Port-Id = "tty2"
(0)   NAS-Port-Type = Virtual
(0)   NAS-IP-Address = 10.10.81.254
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "rovshan", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0)     [files] = noop
(0) sql: EXPAND %{User-Name}
(0) sql:    --> rovshan
(0) sql: SQL-User-Name set to 'rovshan'
rlm_sql (sql): Reserved connection (0)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'rovshan' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'rovshan' ORDER BY id
(0) sql: User found in radcheck table
(0) sql: Conditional check items matched, merging assignment check items
(0) sql:   Crypt-Password := "SAKL/NQfXrXtw"
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql:    --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'rovshan' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'rovshan' ORDER BY id
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql:    --> SELECT groupname FROM radusergroup WHERE username = 'rovshan' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'rovshan' ORDER BY priority
(0) sql: User not found in any groups
rlm_sql (sql): Released connection (0)
Need more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
WARNING: MYSQL_OPT_RECONNECT is deprecated and will be removed in a future version.
rlm_sql_mysql: Connected to database 'raddb' on Localhost via UNIX socket, server version 5.5.5-10.6.12-MariaDB-0ubuntu0.22.04.1, protocol version 10
(0)     [sql] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0)     [pap] = updated
(0)   } # authorize = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known-good" Crypt-password
(0) pap: ERROR: Crypt digest does not match "known good" digest
(0) pap: Passwords don't match
(0)     [pap] = reject
(0)   } # Auth-Type PAP = reject
(0) Failed to authenticate the user
(0) WARNING: Unprintable characters in the password.  Double-check the shared secret on the server and the NAS!
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0) sql: EXPAND .query
(0) sql:    --> .query
(0) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (1)
(0) sql: EXPAND %{User-Name}
(0) sql:    --> rovshan
(0) sql: SQL-User-Name set to 'rovshan'
(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S.%M' )
(0) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( 'rovshan', '=3DAC=3DD3c=3DAB=3DF0=3D8C=3DCDg=3DD1=3DC35 :4=3DCC=3D22', 'Access-Reject', '2024-01-18 10:20:16.630819' )
(0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( 'rovshan', '=3DAC=3DD3c=3DAB=3DF0=3D8C=3DCDg=3DD1=3DC35 :4=3DCC=3D22', 'Access-Reject', '2024-01-18 10:20:16.630819' )
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (1)
(0)     [sql] = ok
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> rovshan
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0)     [eap] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # Post-Auth-Type REJECT = updated


Authetificate from server it self


(5) Received Access-Request Id 189 from 10.10.81.31:51924 to 10.10.81.31:1812 length 47
(5)   User-Name = "rovshan"
(5)   User-Password = "P@55w0rd123"
(5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(5)   authorize {
(5)     policy filter_username {
(5)       if (&User-Name) {
(5)       if (&User-Name)  -> TRUE
(5)       if (&User-Name)  {
(5)         if (&User-Name =~ / /) {
(5)         if (&User-Name =~ / /)  -> FALSE
(5)         if (&User-Name =~ /@[^@]*@/ ) {
(5)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(5)         if (&User-Name =~ /\.\./ ) {
(5)         if (&User-Name =~ /\.\./ )  -> FALSE
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(5)         if (&User-Name =~ /\.$/)  {
(5)         if (&User-Name =~ /\.$/)   -> FALSE
(5)         if (&User-Name =~ /@\./)  {
(5)         if (&User-Name =~ /@\./)   -> FALSE
(5)       } # if (&User-Name)  = notfound
(5)     } # policy filter_username = notfound
(5)     [preprocess] = ok
(5)     [chap] = noop
(5)     [mschap] = noop
(5)     [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "rovshan", looking up realm NULL
(5) suffix: No such realm "NULL"
(5)     [suffix] = noop
(5) eap: No EAP-Message, not doing EAP
(5)     [eap] = noop
(5)     [files] = noop
(5) sql: EXPAND %{User-Name}
(5) sql:    --> rovshan
(5) sql: SQL-User-Name set to 'rovshan'
rlm_sql (sql): Reserved connection (9)
(5) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(5) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'rovshan' ORDER BY id
(5) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'rovshan' ORDER BY id
(5) sql: User found in radcheck table
(5) sql: Conditional check items matched, merging assignment check items
(5) sql:   Crypt-Password := "SAKL/NQfXrXtw"
(5) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(5) sql:    --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'rovshan' ORDER BY id
(5) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'rovshan' ORDER BY id
(5) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(5) sql:    --> SELECT groupname FROM radusergroup WHERE username = 'rovshan' ORDER BY priority
(5) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'rovshan' ORDER BY priority
(5) sql: User not found in any groups
rlm_sql (sql): Released connection (9)
Need 1 more connections to reach min connections (3)
Need more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (10), 1 of 30 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
WARNING: MYSQL_OPT_RECONNECT is deprecated and will be removed in a future version.
rlm_sql_mysql: Connected to database 'raddb' on Localhost via UNIX socket, server version 5.5.5-10.6.12-MariaDB-0ubuntu0.22.04.1, protocol version 10
rlm_sql (sql): You probably need to lower "min"
rlm_sql (sql): Closing expired connection (2) - Hit idle_timeout limit
rlm_sql_mysql: Socket destructor called, closing socket
(5)     [sql] = ok
(5)     [expiration] = noop
(5)     [logintime] = noop
(5)     [pap] = updated
(5)   } # authorize = updated
(5) Found Auth-Type = PAP
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5)   Auth-Type PAP {
(5) pap: Login attempt with password
(5) pap: Comparing with "known-good" Crypt-password
(5) pap: User authenticated successfully
(5)     [pap] = ok
(5)   } # Auth-Type PAP = ok
(5) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(5)   post-auth {
(5)     if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
(5)     if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name))  -> FALSE
(5)     update {
(5)       No attributes updated for RHS &session-state:
(5)     } # update = noop
(5) sql: EXPAND .query
(5) sql:    --> .query
(5) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (9)
(5) sql: EXPAND %{User-Name}
(5) sql:    --> rovshan
(5) sql: SQL-User-Name set to 'rovshan'
(5) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S.%M' )
(5) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( 'rovshan', 'P@55w0rd123', 'Access-Accept', '2024-01-18 10:23:35.078740' )
(5) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( 'rovshan', 'P@55w0rd123', 'Access-Accept', '2024-01-18 10:23:35.078740' )
(5) sql: SQL query returned: success
(5) sql: 1 record(s) updated
rlm_sql (sql): Released connection (9)
(5)     [sql] = ok
(5)     [exec] = noop
(5)     policy remove_reply_message_if_eap {
(5)       if (&reply:EAP-Message && &reply:Reply-Message) {
(5)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(5)       else {
(5)         [noop] = noop
(5)       } # else = noop
(5)     } # policy remove_reply_message_if_eap = noop
(5)     if (EAP-Key-Name && &reply:EAP-Session-Id) {
(5)     if (EAP-Key-Name && &reply:EAP-Session-Id)  -> FALSE
(5)   } # post-auth = ok
(5) Sent Access-Accept Id 189 from 10.10.81.31:1812 to 10.10.81.31:51924 length 20
(5) Finished request
Waking up in 4.9 seconds.
(5) Cleaning up request packet ID 189 with timestamp +208 due to cleanup_delay was reached
Ready to process requests

Relevant log output from client utilities

No response

Backtrace from LLDB or GDB

No response

[alandekok]

Please ask questions on the freeradius-users mailing list.