[Swan] Fail to authenticate trough PAM+radius in version 3.15, same conf working on 3.13

Paul Wouters paul at nohats.ca
Sun Nov 15 00:13:03 UTC 2015


There is a bug fix for that in git that will be in 3.16. Please check GitHub for the patch

Sent from my iPhone

> On Nov 15, 2015, at 06:26, Antonio Silva <asilva at wirelessmundi.com> wrote:
> 
> Hi,
> 
> I just update libreswan to newest 3.15 from 3.13 but now i can't authenticate the user using XAUTH with pam+radius with the came configuration.
> 
> 
> Not sure if it could be some issue with some external lib... i'm using debian wheezy - i did all the tricks to install with the newest version of nss...
> 
> The password sent to radius server has the same value as the username...
> 
> Could it be because of Debian version or is could be an issue in the new version?
> 
> 
> Thanks.
> 
> 
> 
> My pam configuration is:
> 
> auth required pam_radius_auth.so
> account required pam_radius_auth.so
> session required pam_radius_auth.so
> 
> 
> 
> The respective log when it fail is:
> 
> ***------ VERSION 3.15 - ERROR
> 
> Nov 14 21:45:13 sol pluto[2605]: "tunnel8-aggr"[4] 188.81.44.230 #3: XAUTH: Sending Username/Password request (XAUTH_R0)
> Nov 14 21:45:13 sol pluto[2605]: XAUTH: User vpnuser: Attempting to login
> Nov 14 21:45:13 sol pluto[2605]: XAUTH: pam authentication being called to authenticate user vpnuser
> Nov 14 21:45:13 sol pluto[2605]: pam_radius_auth: Got user name vpnuser
> Nov 14 21:45:13 sol pluto[2605]: pam_radius_auth: Sending RADIUS request code 1
> Nov 14 21:45:14 sol pluto[2605]: pam_radius_auth: Got RADIUS response code 3
> Nov 14 21:45:14 sol pluto[2605]: pam_radius_auth: authentication failed
> Nov 14 21:45:14 sol pluto[2605]: XAUTH: pam_authenticate failed with 'Authentication failure'
> Nov 14 21:45:14 sol pluto[2605]: XAUTH: User vpnuser: Authentication Failed: Incorrect Username or Password
> Nov 14 21:45:14 sol pluto[2605]: "tunnel8-aggr"[4] 188.81.44.230 #3: Unsupported XAUTH basic attribute XAUTH-STATUS received.
> Nov 14 21:45:14 sol pluto[2605]: "tunnel8-aggr"[4] 188.81.44.230 #3: Expected MODE_CFG_REPLY is missing username and password attribute
> Nov 14 21:45:14 sol pluto[2605]: "tunnel8-aggr"[4] 188.81.44.230 #3: XAUTH: Sending Username/Password request (XAUTH_R0)
> Nov 14 21:45:14 sol pluto[2605]: "tunnel8-aggr"[4] 188.81.44.230 #3: XAUTH: User <unknown>: Authentication Failed (retry 1)
> 
> 
> 
> 
> --- radius recv pkt:
> (0) Received Access-Request Id 151 from 127.0.0.1:5141 to 127.0.0.1:1812 length 126
> (0)   User-Name = "vpnuser"
> (0)   User-Password = "vpnuser"
> (0)   NAS-IP-Address = 127.0.1.1
> (0)   NAS-Identifier = "pluto"
> (0)   NAS-Port = 4116
> (0)   NAS-Port-Type = Virtual
> (0)   Service-Type = Authenticate-Only
> (0)   Calling-Station-Id = "188.81.44.230"
> 
> 
> ****------ VERSION 3.13 -- SUCCESS
> 
> Nov 14 22:16:26 sol pluto[28470]: "tunnel8-aggr"[2] 188.81.44.230 #1: XAUTH: Sending XAUTH Login/Password Request
> Nov 14 22:16:26 sol pluto[28470]: "tunnel8-aggr"[2] 188.81.44.230 #1: XAUTH: Sending Username/Password request (XAUTH_R0)
> Nov 14 22:16:26 sol pluto[28470]: XAUTH: User vpnuser: Attempting to login
> Nov 14 22:16:26 sol pluto[28470]: XAUTH: pam authentication being called to authenticate user vpnuser
> Nov 14 22:16:26 sol pluto[28470]: pam_radius_auth: Got user name vpnuser
> Nov 14 22:16:26 sol pluto[28470]: pam_radius_auth: Sending RADIUS request code 1
> Nov 14 22:16:26 sol pluto[28470]: pam_radius_auth: Got RADIUS response code 2
> Nov 14 22:16:26 sol pluto[28470]: pam_radius_auth: authentication succeeded
> Nov 14 22:16:26 sol pluto[28470]: XAUTH: PAM_SUCCESS
> Nov 14 22:16:26 sol pluto[28470]: XAUTH: User vpnuser: Authentication Successful
> Nov 14 22:16:26 sol pluto[28470]: "tunnel8-aggr"[2] 188.81.44.230 #1: XAUTH: xauth_inR1(STF_OK)
> Nov 14 22:16:26 sol pluto[28470]: "tunnel8-aggr"[2] 188.81.44.230 #1: transition from state STATE_XAUTH_R1 to state STATE_MAIN_R3
> Nov 14 22:16:26 sol pluto[28470]: "tunnel8-aggr"[2] 188.81.44.230 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
> 
> 
> --- radius recv pkt:
> (0) Received Access-Request Id 64 from 127.0.0.1:15519 to 127.0.0.1:1812 length 110
> (0)   User-Name = "vpnuser"
> (0)   User-Password = "1234test"
> (0)   NAS-IP-Address = 127.0.1.1
> (0)   NAS-Identifier = "pluto"
> (0)   NAS-Port = 14494
> (0)   NAS-Port-Type = Virtual
> (0)   Service-Type = Authenticate-Only
> (0)   Calling-Station-Id = "188.81.44.230"
> 
> 
> 
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan


More information about the Swan mailing list