[Swan] Fail to authenticate trough PAM+radius in version 3.15, same conf working on 3.13

Antonio Silva asilva at wirelessmundi.com
Sat Nov 14 21:26:36 UTC 2015


Hi,

I just update libreswan to newest 3.15 from 3.13 but now i can't 
authenticate the user using XAUTH with pam+radius with the came 
configuration.


Not sure if it could be some issue with some external lib... i'm using 
debian wheezy - i did all the tricks to install with the newest version 
of nss...

The password sent to radius server has the same value as the username...

Could it be because of Debian version or is could be an issue in the new 
version?


Thanks.



My pam configuration is:

auth required pam_radius_auth.so
account required pam_radius_auth.so
session required pam_radius_auth.so



The respective log when it fail is:

***------ VERSION 3.15 - ERROR

Nov 14 21:45:13 sol pluto[2605]: "tunnel8-aggr"[4] 188.81.44.230 #3: 
XAUTH: Sending Username/Password request (XAUTH_R0)
Nov 14 21:45:13 sol pluto[2605]: XAUTH: User vpnuser: Attempting to login
Nov 14 21:45:13 sol pluto[2605]: XAUTH: pam authentication being called 
to authenticate user vpnuser
Nov 14 21:45:13 sol pluto[2605]: pam_radius_auth: Got user name vpnuser
Nov 14 21:45:13 sol pluto[2605]: pam_radius_auth: Sending RADIUS request 
code 1
Nov 14 21:45:14 sol pluto[2605]: pam_radius_auth: Got RADIUS response code 3
Nov 14 21:45:14 sol pluto[2605]: pam_radius_auth: authentication failed
Nov 14 21:45:14 sol pluto[2605]: XAUTH: pam_authenticate failed with 
'Authentication failure'
Nov 14 21:45:14 sol pluto[2605]: XAUTH: User vpnuser: Authentication 
Failed: Incorrect Username or Password
Nov 14 21:45:14 sol pluto[2605]: "tunnel8-aggr"[4] 188.81.44.230 #3: 
Unsupported XAUTH basic attribute XAUTH-STATUS received.
Nov 14 21:45:14 sol pluto[2605]: "tunnel8-aggr"[4] 188.81.44.230 #3: 
Expected MODE_CFG_REPLY is missing username and password attribute
Nov 14 21:45:14 sol pluto[2605]: "tunnel8-aggr"[4] 188.81.44.230 #3: 
XAUTH: Sending Username/Password request (XAUTH_R0)
Nov 14 21:45:14 sol pluto[2605]: "tunnel8-aggr"[4] 188.81.44.230 #3: 
XAUTH: User <unknown>: Authentication Failed (retry 1)




--- radius recv pkt:
(0) Received Access-Request Id 151 from 127.0.0.1:5141 to 127.0.0.1:1812 
length 126
(0)   User-Name = "vpnuser"
(0)   User-Password = "vpnuser"
(0)   NAS-IP-Address = 127.0.1.1
(0)   NAS-Identifier = "pluto"
(0)   NAS-Port = 4116
(0)   NAS-Port-Type = Virtual
(0)   Service-Type = Authenticate-Only
(0)   Calling-Station-Id = "188.81.44.230"


****------ VERSION 3.13 -- SUCCESS

Nov 14 22:16:26 sol pluto[28470]: "tunnel8-aggr"[2] 188.81.44.230 #1: 
XAUTH: Sending XAUTH Login/Password Request
Nov 14 22:16:26 sol pluto[28470]: "tunnel8-aggr"[2] 188.81.44.230 #1: 
XAUTH: Sending Username/Password request (XAUTH_R0)
Nov 14 22:16:26 sol pluto[28470]: XAUTH: User vpnuser: Attempting to login
Nov 14 22:16:26 sol pluto[28470]: XAUTH: pam authentication being called 
to authenticate user vpnuser
Nov 14 22:16:26 sol pluto[28470]: pam_radius_auth: Got user name vpnuser
Nov 14 22:16:26 sol pluto[28470]: pam_radius_auth: Sending RADIUS 
request code 1
Nov 14 22:16:26 sol pluto[28470]: pam_radius_auth: Got RADIUS response 
code 2
Nov 14 22:16:26 sol pluto[28470]: pam_radius_auth: authentication succeeded
Nov 14 22:16:26 sol pluto[28470]: XAUTH: PAM_SUCCESS
Nov 14 22:16:26 sol pluto[28470]: XAUTH: User vpnuser: Authentication 
Successful
Nov 14 22:16:26 sol pluto[28470]: "tunnel8-aggr"[2] 188.81.44.230 #1: 
XAUTH: xauth_inR1(STF_OK)
Nov 14 22:16:26 sol pluto[28470]: "tunnel8-aggr"[2] 188.81.44.230 #1: 
transition from state STATE_XAUTH_R1 to state STATE_MAIN_R3
Nov 14 22:16:26 sol pluto[28470]: "tunnel8-aggr"[2] 188.81.44.230 #1: 
STATE_MAIN_R3: sent MR3, ISAKMP SA established


--- radius recv pkt:
(0) Received Access-Request Id 64 from 127.0.0.1:15519 to 127.0.0.1:1812 
length 110
(0)   User-Name = "vpnuser"
(0)   User-Password = "1234test"
(0)   NAS-IP-Address = 127.0.1.1
(0)   NAS-Identifier = "pluto"
(0)   NAS-Port = 14494
(0)   NAS-Port-Type = Virtual
(0)   Service-Type = Authenticate-Only
(0)   Calling-Station-Id = "188.81.44.230"





More information about the Swan mailing list