Hello, all! I'm here for a bit of help using Authen::Radius to authenticate against RADIUS with LDAP in the backend. My problem is that RADIUS is receiving a packet from Authen::Radius with the password encrypted or corrupted, so the user is not authenticated. The password needs to be in plaintext. radtest is able to authenticate successfully.
#!/usr/bin/perl -w
# radtest username "ldappassword" localhost 2 testing123
use strict;
use Authen::Radius;
my $r = new Authen::Radius(
Host => 'localhost',
Secret => 'radiuspassword',
Debug => 1
);
$r->load_dictionary('/etc/freeradius/dictionary');
#$r->check_pwd('username', 'ldappassword'); # also fails
$r->add_attributes (
{ Name => 'User-Name', Value => 'username' },
{ Name => 'NAS-IP-Address', Value => '127.0.0.1' },
{ Name => 'User-Password', Value => 'ldappassword' },
{ Name => 'NAS-Port', Value => '2' },
);
$r->send_packet(ACCESS_REQUEST) || print "send_packet failed\n";
my $type = $r->recv_packet(1);
if (!$type && $r->get_error() eq 'EBADAUTH') {
print "Authentication failed\n";
exit();
}
print "server response type = $type\n";
The output of this script is "Authentication failed." As indicated above, radtest is able to authenticate and prints the password in plain text in the log. However, with Authen::Radius, the log contains (with jibberish replacing each instance of "#65533;" here):
rad_recv: Access-Request packet from host 127.0.0.1 port 58912, id=203
+, length=50
User-Name = "username"
User-Password = "=\337R\3361\001ا.!\353\346\352\010ܫ"
NAS-IP-Address = 127.0.0.1
*snip*
[ldap] login attempt by "username" with password "=�R�1?
+ا.!���?ܫ"
[ldap] user DN: uid=username,ou=People,dc=example,dc=com
[ldap] (re)connect to localhost:389, authentication 1
[ldap] bind as uid=username,ou=People,dc=example,dc=com/=�R&#
+65533;1?ا.!���?ܫ to localhost:389
[ldap] waiting for bind result ...
[ldap] Bind failed with invalid credentials
++[ldap] returns reject
Failed to authenticate the user.
WARNING: Unprintable characters in the password. Double-check the s
+hared secret on the server and the NAS!
When using radtest, log looks like this:
rad_recv: Access-Request packet from host 127.0.0.1 port 47900, id=129
+, length=74
User-Name = "username"
User-Password = "ldappassword"
NAS-IP-Address = 127.0.0.1
NAS-Port = 2
Message-Authenticator = 0x935a295ea594eea2237c17b4cdb74a5e
How can I make Authen::Radius send the request like this so that it will get authenticated correctly?
-
Are you posting in the right place? Check out Where do I post X? to know for sure.
-
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big>
<blockquote> <br /> <dd>
<dl> <dt> <em> <font>
<h1> <h2> <h3> <h4>
<h5> <h6> <hr /> <i>
<li> <nbsp> <ol> <p>
<small> <strike> <strong>
<sub> <sup> <table>
<td> <th> <tr> <tt>
<u> <ul>
-
Snippets of code should be wrapped in
<code> tags not
<pre> tags. In fact, <pre>
tags should generally be avoided. If they must
be used, extreme care should be
taken to ensure that their contents do not
have long lines (<70 chars), in order to prevent
horizontal scrolling (and possible janitor
intervention).
-
Want more info? How to link
or How to display code and escape characters
are good places to start.