Project

General

Profile

Bug #9583

Freeradius 3 auth error on OTP (only on PFSense 2.5-dev)

Added by Luca De Andreis 8 months ago. Updated 7 days ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
FreeRADIUS
Target version:
Start date:
06/13/2019
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.4.5
Affected Architecture:
All

Description

Freeradius 3 on PFSense 2.5-dev using OTP (Google auth) fail auth (works correctly on simple autentication not OTP).
The same configuration on 2.4.4-p3 works perfectly

History

#1 Updated by Viktor Gurov 10 days ago

  • Affected Version set to 2.4.5

issue for both Google Authenticator and mOTP
on the latest 2.4.5 and 2.5

# radtest -t pap guser1 1234713723 127.0.0.1:1812 10000 123
Sent Access-Request Id 104 from 0.0.0.0:19601 to 127.0.0.1:1812 length 76
    User-Name = "guser1" 
    User-Password = "1234713723" 
    NAS-IP-Address = 192.168.3.45
    NAS-Port = 10000
    Message-Authenticator = 0x00
    Cleartext-Password = "1234713723" 
Received Access-Reject Id 104 from 127.0.0.1:1812 to 127.0.0.1:19601 length 20
(0) -: Expected Access-Accept got Access-Reject

in logs:

Login incorrect (Failed retrieving values required to evaluate condition): [guser1] (from client local port 10000)

no such issue on 2.4.4-p3

changes in the FreeBSD RADIUS binary?

on 2.4.4-p3:

# radiusd -v
radiusd: FreeRADIUS Version 3.0.17, for host amd64-portbld-freebsd11.2, built on May 13 2019 at 16:47:37
FreeRADIUS Version 3.0.17

on 2.4.5:

# radiusd -v
radiusd: FreeRADIUS Version 3.0.20, for host amd64-portbld-freebsd11.3, built on Jan  2 2020 at 14:43:22
FreeRADIUS Version 3.0.20

https://freeradius.org/release_notes/

#2 Updated by Viktor Gurov 10 days ago

mOTP is ok

this is python3.7 code issue:

/usr/local/etc/raddb/scripts/googleauth.py guser1 BIRVHQM2NSOM3JUO 1234 1234938913
Traceback (most recent call last):
  File "/usr/local/etc/raddb/scripts/googleauth.py", line 54, in <module>
    auth = authenticate(sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4])
  File "/usr/local/etc/raddb/scripts/googleauth.py", line 34, in authenticate
    offset = ord(hm[-1]) & 0x0F
TypeError: ord() expected string of length 1, but int found

2.4.4-p3 uses python2.7

#3 Updated by Jim Pingle 10 days ago

  • Status changed from New to Feedback
  • Assignee set to Jim Pingle
  • Target version set to 2.4.5
  • % Done changed from 0 to 100
  • Affected Architecture set to All

I knew GA had a python 3.x issue but just hadn't got around to fixing it yet. It was a simple change:

2.5.0: https://github.com/pfsense/FreeBSD-ports/commit/ccf049ec38520d67e6b9688c80cd6a15fb94c84d
2.4.5: https://github.com/pfsense/FreeBSD-ports/commit/20794ae5981df7ec6bcf6f41bf70790d66aee975

I ran the script through 2to3 and it didn't flag anything. After removing that ord() call, it works as expected. I can auth at the CLI and via Diag > Auth only with valid GA codes generated within the expected time frame.

#4 Updated by Jim Pingle 7 days ago

  • Status changed from Feedback to Resolved

Works fine on _9.

Also available in: Atom PDF