Captive Portal RADIUS-Auth Unable to validate credentials at the moment

[Der-Zett]

Describe the bug
We use PackageFence version 11 and authenticate to the CaptivePortal against RADIUS on a Windows Server 2016. PacketFence has not joined the domain and we use ONLY RADIUS as authentication source. Everything worked fine. We have made no ConfigChanges on PacketFence. Since about 4 weeks the login to the Captive Portal is no longer possible. After logging in, the user gets this message:

"Unable to validate credentials at the moment"

BUT: the windows radius-server clearly allows the connection request of the users.

We have the same configuration testet with PacketFence v13 and v14. Allways the same behavior.

These updates for Windows were installed on 30.09.24:
KB5041576
KB5041773
(our security policy does not allow me to uninstall the updates)

On packetfence.log we have this messages:

packetfence_httpd.portal[3821455]: httpd.portal(3821455) INFO: [mac:XXX] Found authentication source(s) : 'RADIUS_PIR-DC01' for realm 'null' (pf::config::util::filter_authentication_sources)
packetfence_httpd.portal[3821455]: httpd.portal(3821455) INFO: [mac:XXX] Authenticating user using sources : RADIUS_PIR-DC01 (captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)
packetfence_httpd.portal[3821455]: httpd.portal(3821455) ERROR: [mac:XXX] Unable to perform RADIUS authentication on any server: EBADAUTH (pf::Authentication::Source::RADIUSSource::_handle_radius_request)

I have analyzed the network traffic with Wireshark and everything works fine:

18	23.041211	1xx.xxx.xxx.2	1xx.xxx.xxx.13	RADIUS	98	Access-Request id=157
19	23.047808	1xx.xxx.xxx.13	1xx.xxx.xxx.2	RADIUS	162	Access-Accept id=157

I used

/usr/local/pf/bin/pftest authentication KNOWN_USER KNOWN_PASS

and the correct authentication source is also resolved, but the same error message appears:

Authenticating against 'RADIUS_PIR-DC01' in context 'portal'
  Authentication FAILED against RADIUS_PIR-DC01 (Unable to validate credentials at the moment) <--- same error as on WebUI
  Matched against RADIUS_PIR-DC01 for 'authentication' rule Default_Settings
    set_role : default
    set_access_duration : 12h
  Did not match against RADIUS_PIR-DC01 for 'administration' rules

I also used radtest and this works fine:

radtest KNOWN_USER $PASS 1xx.xxx.xxx.xx3:1812 12 $SECRET
Sent Access-Request Id 21 from 0.0.0.0:42889 to 1xx.xxx.xxx.xx3:1812 length 80
        User-Name = "KNOWN_USER"
        User-Password = "XXXX"
        NAS-IP-Address = 1xx.xxx.xxx.xx4
        NAS-Port = 12
        Message-Authenticator = 0x00
        Cleartext-Password = "XXXX"
Received Access-Accept Id 21 from 1xx.xxx.xxx.xx3:1812 to 1xx.xxx.xxx.xx2:42889 length 120
        Message-Authenticator = 0x13585da32f9544affb8a77ceb4fb07a9
        Framed-Protocol = PPP
        Service-Type = Framed-User
        Class = 0x7d8107b20000013700010200c0a809e300000000000000000000000001db1383afea5425000000000004a9f1
        MS-Link-Utilization-Threshold = 50
        MS-Link-Drop-Time-Limit = 120

I suspect the problem is with the RADIUS response from the Windows server. Access is allowed, but PacketFence does not process the response properly.

The error is reported in this routine:

/usr/local/pf/lib/pf/Authentication/Source/RADIUSSource.pm
...
sub _handle_radius_request {
    my ($self, $radius, $result) = @_;
    my $logger = get_logger();
    if ($radius->get_error() ne $RADIUS_ERROR_NONE) { <<-- here is the error reported
        $logger->error("Unable to perform  RADIUS authentication on any server: " . Authen::Radius::get_error());
        return ($FALSE, $COMMUNICATION_ERROR_MSG);
    }
    if ($result == ACCESS_ACCEPT) {
        return ($TRUE, $AUTH_SUCCESS_MSG, $self->_fetch_attributes($result, $radius));
    }
    elsif ($result == ACCESS_CHALLENGE) {
        return ($LOGIN_CHALLENGE, $self->_make_challenge_data($result, $radius));
    }
    return ($FALSE, $AUTH_FAIL_MSG);
}
...

How can I solve the problem or better narrow it down? Does anyone have a good idea?

[satkunas]

@fdurand please test/verify

[systeme-UT1]

Same bug against Radius on freeradius with PF 14.

Exactly the same behavior.

Authenticating against 'radius_ut1' in context 'portal'
Authentication FAILED against radius_ut1 (Unable to validate credentials at the moment)
Matched against radius_ut1 for 'authentication' rule Authentification_ut1
set_role : Auth_UT1_rj
set_access_duration : 12h
Did not match against radius_ut1 for 'administration' rules

Did you find a way to resolve the issue ?

[Der-Zett]

On our side, these two KBs have caused the problem:

KB5040437
KB5040268

This problem arises because Authen::Radius compares a raw binary value ($calc_hmac) and a decoded, hexdumpart value ($rfc3579_msg_auth).

I made the following changes in /usr/local/pf/lib_perl/lib/perl5/Authen/Radius.pm:

Faulty code is :

$rfc3579_msg_auth = $a->{Value};

should be:

$rfc3579_msg_auth = $a->{RawValue};

[systeme-UT1]

Thank you,

After I modify radius.pm the test ./pftest authentication succeed :

Authenticating against 'radius_ut1' in context 'portal'
Authentication SUCCEEDED against radius_ut1 (Authentication successful.)
Matched against radius_ut1 for 'authentication' rule Authentification_ut1
set_role : Auth_UT1_rj
set_access_duration : 12h
Did not match against radius_ut1 for 'administration' rules

But when I try on the captive portal I still have the "Unable to validate credentials at the moment" and these logs in packetfence.log :

Feb 4 15:40:10 hotspot-rj httpd.portal-docker-wrapper[27367]: httpd.portal(16) INFO: Instantiate profile HOTSPOT (pf::Connection::ProfileFactory::_from_profile)
Feb 4 15:40:10 hotspot-rj httpd.portal-docker-wrapper[27367]: httpd.portal(16) INFO: Allowing user through portal even though he is registered as the release bypass is set and the connection profile is configured to let registered users use the registration module of the portal. (captiveportal::PacketFence::DynamicRouting::Module::Root::execute_child)
Feb 4 15:40:11 hotspot-rj httpd.portal-docker-wrapper[27367]: httpd.portal(16) INFO: Found authentication source(s) : 'radius_ut1' for realm 'null' (pf::config::util::filter_authentication_sources)
Feb 4 15:40:11 hotspot-rj httpd.portal-docker-wrapper[27367]: httpd.portal(16) INFO: Authenticating user using sources : radius_ut1 (captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)
Feb 4 15:40:11 hotspot-rj httpd.portal-docker-wrapper[27367]: httpd.portal(16) ERROR: Unable to perform RADIUS authentication on any server: EBADAUTH (pf::Authentication::Source::RADIUSSource::_handle_radius_request)


I'm almost there ...

[Der-Zett]

Hmmm...try the last version of Authen::Radius and have you restarted httpd.portal?

Unfortunately, I don't have any more tips.

[jrouzierinverse]

We have a fix for this

[systeme-UT1]

Great ! Because even after httpd.portal restart it is the same ...
Can you tell me more about this fix ? Where can I find it and how can I apply it ?

I am running Packetfence version 14.0.0

Thank you.