Beefy Boxes and Bandwidth Generously Provided by pair Networks
XP is just a number

Using Authen::Radius with LDAP: Password being encrypted or corrupted

by serafina (Initiate)
on Dec 03, 2012 at 17:15 UTC ( #1006916=perlquestion: print w/replies, xml ) Need Help??
serafina has asked for the wisdom of the Perl Monks concerning the following question:

Hello, all! I'm here for a bit of help using Authen::Radius to authenticate against RADIUS with LDAP in the backend. My problem is that RADIUS is receiving a packet from Authen::Radius with the password encrypted or corrupted, so the user is not authenticated. The password needs to be in plaintext. radtest is able to authenticate successfully.

#!/usr/bin/perl -w # radtest username "ldappassword" localhost 2 testing123 use strict; use Authen::Radius; my $r = new Authen::Radius( Host => 'localhost', Secret => 'radiuspassword', Debug => 1 ); $r->load_dictionary('/etc/freeradius/dictionary'); #$r->check_pwd('username', 'ldappassword'); # also fails $r->add_attributes ( { Name => 'User-Name', Value => 'username' }, { Name => 'NAS-IP-Address', Value => '' }, { Name => 'User-Password', Value => 'ldappassword' }, { Name => 'NAS-Port', Value => '2' }, ); $r->send_packet(ACCESS_REQUEST) || print "send_packet failed\n"; my $type = $r->recv_packet(1); if (!$type && $r->get_error() eq 'EBADAUTH') { print "Authentication failed\n"; exit(); } print "server response type = $type\n";

The output of this script is "Authentication failed." As indicated above, radtest is able to authenticate and prints the password in plain text in the log. However, with Authen::Radius, the log contains (with jibberish replacing each instance of "#65533;" here):

rad_recv: Access-Request packet from host port 58912, id=203 +, length=50 User-Name = "username" User-Password = "=\337R\3361\001ا.!\353\346\352\010ܫ" NAS-IP-Address = *snip* [ldap] login attempt by "username" with password "=�R�1? +ا.!���?ܫ" [ldap] user DN: uid=username,ou=People,dc=example,dc=com [ldap] (re)connect to localhost:389, authentication 1 [ldap] bind as uid=username,ou=People,dc=example,dc=com/=�R&# +65533;1?ا.!���?ܫ to localhost:389 [ldap] waiting for bind result ... [ldap] Bind failed with invalid credentials ++[ldap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the s +hared secret on the server and the NAS!

When using radtest, log looks like this:

rad_recv: Access-Request packet from host port 47900, id=129 +, length=74 User-Name = "username" User-Password = "ldappassword" NAS-IP-Address = NAS-Port = 2 Message-Authenticator = 0x935a295ea594eea2237c17b4cdb74a5e

How can I make Authen::Radius send the request like this so that it will get authenticated correctly?

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://1006916]
Approved by marto
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others cooling their heels in the Monastery: (5)
As of 2018-02-21 15:50 GMT
Find Nodes?
    Voting Booth?
    When it is dark outside I am happiest to see ...

    Results (283 votes). Check out past polls.