#52 Cisco $enab15$ special user

[Anonymous]

daloRADIUS is having problems dealing with the $ at the beginning and at the end of this special user, used by Cisco equipment to get into Privileged Executive Mode. The $ is being converted to =24 and that is why it could never work.

Congratulations on a great product!

rad_recv: Access-Request packet from host 192.168.153.132 port 1645, id=10, length=72
NAS-IP-Address = 192.168.153.132
NAS-Port = 0
NAS-Port-Type = Async
User-Name = "$enab15$"
User-Password = "secretasecreta"
Service-Type = Administrative-User

Executing section authorize from file /etc/freeradius/sites-enabled/default

+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "$enab15$", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[sql] expand: %{User-Name} -> $enab15$
[sql] sql_set_user escaped user --> '$enab15$'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '=24enab15=24' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '=24enab15=24' ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
[sql] User $enab15$ not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject

Executing group from file /etc/freeradius/sites-enabled/default

+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> $enab15$
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 5 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 5
Sending Access-Reject of id 10 to 192.168.153.132 port 1645
Waking up in 4.9 seconds.
Cleaning up request 5 ID 10 with timestamp +2250
Ready to process requests.

[Anonymous]

here is the fix for that:

in sql.conf (on older versions) or queries.conf in v3 do:

# Safe characters list for sql queries. Everything else is replaced
# with their mime-encoded equivalents.
# The default list should be ok
safe_characters = "$@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"

[Anonymous]

For my installation it is "safe-characters" (not "safe_characters") in dialup.conf included from sql.conf in /etc/freeradius/ .