Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 31 May 2021 07:18:13 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 256283] FreeBSD-SA-21:12.libradius breaks mpd5 when using MS-CHAPv2
Message-ID:  <bug-256283-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D256283

            Bug ID: 256283
           Summary: FreeBSD-SA-21:12.libradius breaks mpd5 when using
                    MS-CHAPv2
           Product: Base System
           Version: 13.0-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: topical@gmx.net

This SA breaks mpd5 with MS-CHAPv2.=20

No workaround available but to replace libradius* with pre-SA version.

Setup: if there is a dial in server using

  * mpd5
  * external radius server in different jail (freeradius3)
  * MS-CHAPv2 for authentication (done by freeradius3)

authentication succeeds, but mpd5 disconnects immediately because of alleged
missing MS-CHAP2-Success attributes.

Logging of mpd5 shows:

   mpd[10012]: [L_l2tp] RADIUS: Authenticating user 'username'
   mpd[10012]: [L_l2tp] RADIUS: Rec'd RAD_ACCESS_ACCEPT for user 'username'
   mpd[10012]: [L_l2tp]  RADIUS: PANIC no MS-CHAP2-Success received from
server!

Checking this at freeradius3 server and packet capture show that the attrib=
ute
indeed exists but seems to be ignored by mpd5/libradius.

Replacing libradius on log in server with pre-SA version makes mpd5 work ag=
ain:

   mpd[96202]: [L_l2tp] RADIUS: Authenticating user 'user'
   mpd[96202]: [L_l2tp] RADIUS: Rec'd RAD_ACCESS_ACCEPT for user 'user'
   mpd[96202]: [L_l2tp] AUTH: RADIUS returned: authenticated
   mpd[96202]: [L_l2tp] CHAP: Auth return status: authenticated
   mpd[96202]: [L_l2tp] CHAP: Reply message: S=3DXXXXXXXX
   mpd[96202]: [L_l2tp] CHAP: sending SUCCESS #1 len: 46

I haven't found out which part of fix is to be blamed but this situation is
rather unpleasant (especially since mpd5 is the main application of libradi=
us).

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-256283-227>