RADIUS with mschapv2 does not provide MPL as configured

Description

Using radius to authenticate, with mschapv2 as authentication type, user connected does not receive the MPL defined in the RADIUS server, but gets the default non-privilege user settings (MPL=1)

Steps to reproduce the issue:

Set a radius server, config to be aligned with a client, config a user with MPL higher than 1. for example, in freeradius server add the following lines to /etc/raddb/users: raduser Cleartext-Password := "radpass" Management-Privilege-Level := 15
Configure client to user radius as authentication method:
- sudo config aaa authentication failthrough enable
- sudo config aaa authentication login radius local
- sudo ln -s /bin/bash /usr/bin/sonic-launch-shell #(this is to override bug opened in https://github.com/sonic-net/sonic-buildimage/issues/11352)
- sudo config radius authtype mschapv2
- sudo config radius add SERVER-IP -k SERVER-PASSKEY
try to connect with user configured, after authentication, call 'groups' in order to see it is only part of default groups which are the user itself and 'docker'

Describe the results you received:

Using mschapv2 user is not part of configured MPL and does not have the right privileges

Describe the results you expected:

We expect user authenticated with RADIUS server and mschapv2 as authtype to have the MPL as configured and the privileges attached to it as well

Output of `show version`:

Distribution: Debian 11.6 Kernel: 5.10.0-12-2-amd64 Build commit: 5be434a7b Build date: Tue Feb 28 14:11:27 UTC 2023

(paste your output here)

Output of `show techsupport`:

(paste your output here or download and attach the file here )

Additional information you deem important (e.g. issue happens only occasionally):

SONiC Software Version: SONiC.202211_RC7.1-a99614f41_Internal
Distribution: Debian 11.6
Kernel: 5.10.0-18-2-amd64
Build commit: a99614f41
Build date: Sun Mar  5 18:03:39 UTC 2023
Built by: sw-r2d2-bot@r-build-sonic-ci03-243

Platform: x86_64-mlnx_msn4600c-r0
HwSKU: ACS-MSN4600C
ASIC: mellanox
ASIC Count: 1
Serial Number: MT2140X00042
Model Number: MSN4600-CS2FO_QP
Hardware Revision: A1
Uptime: 23:22:21 up 45 min,  1 user,  load average: 0.33, 0.27, 0.31
Date: Mon 13 Mar 2023 23:22:21

sonic_dump_qa-eth-vt03-1-4600ca1_20230313_225348.tar.gz freeradius.log auth.log CLI output.txt

Hi,

The logs attached to the issue indicate that the RADIUS server never sent the MPL attribute as a part of the Access-Accept message.

Freeradius.log: 8) } # post-auth = noop (8) Sent Access-Accept Id 152 from 1.0.0.1:1812 to 1.0.0.2:36646 length 0 (8) MS-MPPE-Recv-Key = 0x86428b2a9313d93d570c6b0fc32fdaa1b204eede876a623f4f195737dc22d053 (8) MS-MPPE-Send-Key = 0xd6e828c1f862e0dfa08ef4d4cf65fffce32f950c6b376cc1ee106dbd905edbf1 (8) EAP-Message = 0x03da0004 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) User-Name = "test" (8) Finished request Waking up in 4.9 seconds.

auth.log:

Mar 13 22:53:38.326708 sonic DEBUG sshd[18902]: pam_radius_auth: pam_peap_authenticate: Copying the response Mar 13 22:53:38.326793 sonic DEBUG sshd[18902]: pam_radius_auth: #012pam_peap_authenticate:Authenticated Successfully > Bye... Mar 13 22:53:38.326876 sonic DEBUG sshd[18902]: pam_radius_auth: talk_radius: PEAP authentication successful Mar 13 22:53:38.326961 sonic ERR sshd[18902]: pam_radius_auth: RADIUS Access-Accept received with Management-Privilege-Level missing Mar 13 22:53:38.331756 sonic INFO /usr/sbin/cache_radius[18916]: /usr/sbin/cache_radius: Missing or bad Privilege in environment:"" Mar 13 22:53:38.331879 sonic INFO /usr/sbin/cache_radius[18916]: /usr/sbin/cache_radius: MPL 1 updated for user test Mar 13 22:53:38.331967 sonic INFO /usr/sbin/cache_radius[18916]: /usr/sbin/cache_radius: Adjusting Supplementary Groups for "test" Mar 13 22:53:38.339695 sonic INFO usermod[18918]: delete 'test' from group 'sudo' Mar 13 22:53:38.339795 sonic INFO usermod[18918]: delete 'test' from group 'admin' Mar 13 22:53:38.339887 sonic INFO usermod[18918]: delete 'test' from shadow group 'sudo' Mar 13 22:53:38.339969 sonic INFO usermod[18918]: delete 'test' from shadow group 'admin' Mar 13 22:53:38.391618 sonic INFO sshd[18902]: Accepted password for test from 10.209.100.117 port 53934 ssh2

The eap.conf file on the RADIUS server must be configured to use 'default_eap_type=peap' (in the eap section) and tunnelling of replies must be enabled for peap via 'use_tunneled_reply = yes' (in the peap section). This will cache attributes for the Access-Accept message.

Hi,

The logs attached to the issue indicate that the RADIUS server never sent the MPL attribute as a part of the Access-Accept message.

Freeradius.log: 8) } # post-auth = noop (8) Sent Access-Accept Id 152 from 1.0.0.1:1812 to 1.0.0.2:36646 length 0 (8) MS-MPPE-Recv-Key = 0x86428b2a9313d93d570c6b0fc32fdaa1b204eede876a623f4f195737dc22d053 (8) MS-MPPE-Send-Key = 0xd6e828c1f862e0dfa08ef4d4cf65fffce32f950c6b376cc1ee106dbd905edbf1 (8) EAP-Message = 0x03da0004 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) User-Name = "test" (8) Finished request Waking up in 4.9 seconds.

auth.log:

Mar 13 22:53:38.326708 sonic DEBUG sshd[18902]: pam_radius_auth: pam_peap_authenticate: Copying the response Mar 13 22:53:38.326793 sonic DEBUG sshd[18902]: pam_radius_auth: #012pam_peap_authenticate:Authenticated Successfully > Bye... Mar 13 22:53:38.326876 sonic DEBUG sshd[18902]: pam_radius_auth: talk_radius: PEAP authentication successful Mar 13 22:53:38.326961 sonic ERR sshd[18902]: pam_radius_auth: RADIUS Access-Accept received with Management-Privilege-Level missing Mar 13 22:53:38.331756 sonic INFO /usr/sbin/cache_radius[18916]: /usr/sbin/cache_radius: Missing or bad Privilege in environment:"" Mar 13 22:53:38.331879 sonic INFO /usr/sbin/cache_radius[18916]: /usr/sbin/cache_radius: MPL 1 updated for user test Mar 13 22:53:38.331967 sonic INFO /usr/sbin/cache_radius[18916]: /usr/sbin/cache_radius: Adjusting Supplementary Groups for "test" Mar 13 22:53:38.339695 sonic INFO usermod[18918]: delete 'test' from group 'sudo' Mar 13 22:53:38.339795 sonic INFO usermod[18918]: delete 'test' from group 'admin' Mar 13 22:53:38.339887 sonic INFO usermod[18918]: delete 'test' from shadow group 'sudo' Mar 13 22:53:38.339969 sonic INFO usermod[18918]: delete 'test' from shadow group 'admin' Mar 13 22:53:38.391618 sonic INFO sshd[18902]: Accepted password for test from 10.209.100.117 port 53934 ssh2

The eap.conf file on the RADIUS server must be configured to use 'default_eap_type=peap' (in the eap section) and tunnelling of replies must be enabled for peap via 'use_tunneled_reply = yes' (in the peap section). This will cache attributes for the Access-Accept message.

default_eap_type was configured correctly. Modified use_tunneled_reply but I still see the same issue. When using pap or chap as authtype we are getting correct MPL. Attached logs from last login radius_log.log

I've tried with 2 different RADIUS servers, and with only the configuration change provided at the end of this comment, I see MPL being sent in the Access-Accept message.

RADIUS server:

Wed Mar 29 16:27:49 2023 : Auth: (44) Login OK: [test1/] (from client 10.59.142.242/20 port 0) Wed Mar 29 16:27:49 2023 : Debug: (44) Sent Access-Accept Id 152 from 10.89.17.48:1812 to 10.59.139.64:48611 length 0 Wed Mar 29 16:27:49 2023 : Debug: (44) Management-Privilege-Level = 15 Wed Mar 29 16:27:49 2023 : Debug: (44) User-Name = "test1" Wed Mar 29 16:27:49 2023 : Debug: (44) MS-MPPE-Recv-Key = 0xd28beeef55b1d94a520e983e2d02c984a75c0baa26b0781f6f88ec5058e57391 Wed Mar 29 16:27:49 2023 : Debug: (44) MS-MPPE-Send-Key = 0x868274bed820952c59367b4c4419255b65bcca3d8c9198fbf535fc28c63b33c8 Wed Mar 29 16:27:49 2023 : Debug: (44) EAP-Message = 0x03da0004 Wed Mar 29 16:27:49 2023 : Debug: (44) Message-Authenticator = 0x00000000000000000000000000000000 Wed Mar 29 16:27:49 2023 : Debug: (44) Finished request

Switch:

[sd938894@lvnvdb3393:~ ] $ ssh test1@10.59.139.64 test1@10.59.139.64's password: Linux leaf4 5.10.0-18-2-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64 ... Last login: Tue Aug 9 14:53:04 2022 from 10.75.221.92 test1@leaf4:~$ id uid=1004(test1) gid=1004(test1) groups=1004(test1),27(sudo),999(docker),1000(admin)

RADIUS server config:

/etc/freeradius/3.0/mods-available/eap:

27 #default_eap_type = md5 28 default_eap_type = peap

740 #use_tunneled_reply = no 741 use_tunneled_reply = yes

846 #use_tunneled_reply = no 847 use_tunneled_reply = yes

root@app-ibn-csg-02:/etc/freeradius/3.0# freeradius -v radiusd: FreeRADIUS Version 3.0.20, for host x86_64-pc-linux-gnu, built on Jan 25 2020 at 06:11:13 FreeRADIUS Version 3.0.20

@adyeung do you have any ETA for the fix? Just to understand the plan and align internally

I've tried with 2 different RADIUS servers, and with only the configuration change provided at the end of this comment, I see MPL being sent in the Access-Accept message.

RADIUS server:

Wed Mar 29 16:27:49 2023 : Auth: (44) Login OK: [test1/] (from client 10.59.142.242/20 port 0) Wed Mar 29 16:27:49 2023 : Debug: (44) Sent Access-Accept Id 152 from 10.89.17.48:1812 to 10.59.139.64:48611 length 0 Wed Mar 29 16:27:49 2023 : Debug: (44) Management-Privilege-Level = 15 Wed Mar 29 16:27:49 2023 : Debug: (44) User-Name = "test1" Wed Mar 29 16:27:49 2023 : Debug: (44) MS-MPPE-Recv-Key = 0xd28beeef55b1d94a520e983e2d02c984a75c0baa26b0781f6f88ec5058e57391 Wed Mar 29 16:27:49 2023 : Debug: (44) MS-MPPE-Send-Key = 0x868274bed820952c59367b4c4419255b65bcca3d8c9198fbf535fc28c63b33c8 Wed Mar 29 16:27:49 2023 : Debug: (44) EAP-Message = 0x03da0004 Wed Mar 29 16:27:49 2023 : Debug: (44) Message-Authenticator = 0x00000000000000000000000000000000 Wed Mar 29 16:27:49 2023 : Debug: (44) Finished request

Switch:

[sd938894@lvnvdb3393:~ ] $ ssh test1@10.59.139.64 test1@10.59.139.64's password: Linux leaf4 5.10.0-18-2-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64 ... Last login: Tue Aug 9 14:53:04 2022 from 10.75.221.92 test1@leaf4:~$ id uid=1004(test1) gid=1004(test1) groups=1004(test1),27(sudo),999(docker),1000(admin)

RADIUS server config:

/etc/freeradius/3.0/mods-available/eap:

27 #default_eap_type = md5 28 default_eap_type = peap

740 #use_tunneled_reply = no 741 use_tunneled_reply = yes

846 #use_tunneled_reply = no 847 use_tunneled_reply = yes

root@app-ibn-csg-02:/etc/freeradius/3.0# freeradius -v radiusd: FreeRADIUS Version 3.0.20, for host x86_64-pc-linux-gnu, built on Jan 25 2020 at 06:11:13 FreeRADIUS Version 3.0.20

Hi, The logs attached to the issue indicate that the RADIUS server never sent the MPL attribute as a part of the Access-Accept message. Freeradius.log: 8) } # post-auth = noop (8) Sent Access-Accept Id 152 from 1.0.0.1:1812 to 1.0.0.2:36646 length 0 (8) MS-MPPE-Recv-Key = 0x86428b2a9313d93d570c6b0fc32fdaa1b204eede876a623f4f195737dc22d053 (8) MS-MPPE-Send-Key = 0xd6e828c1f862e0dfa08ef4d4cf65fffce32f950c6b376cc1ee106dbd905edbf1 (8) EAP-Message = 0x03da0004 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) User-Name = "test" (8) Finished request Waking up in 4.9 seconds. auth.log: Mar 13 22:53:38.326708 sonic DEBUG sshd[18902]: pam_radius_auth: pam_peap_authenticate: Copying the response Mar 13 22:53:38.326793 sonic DEBUG sshd[18902]: pam_radius_auth: #012pam_peap_authenticate:Authenticated Successfully > Bye... Mar 13 22:53:38.326876 sonic DEBUG sshd[18902]: pam_radius_auth: talk_radius: PEAP authentication successful Mar 13 22:53:38.326961 sonic ERR sshd[18902]: pam_radius_auth: RADIUS Access-Accept received with Management-Privilege-Level missing Mar 13 22:53:38.331756 sonic INFO /usr/sbin/cache_radius[18916]: /usr/sbin/cache_radius: Missing or bad Privilege in environment:"" Mar 13 22:53:38.331879 sonic INFO /usr/sbin/cache_radius[18916]: /usr/sbin/cache_radius: MPL 1 updated for user test Mar 13 22:53:38.331967 sonic INFO /usr/sbin/cache_radius[18916]: /usr/sbin/cache_radius: Adjusting Supplementary Groups for "test" Mar 13 22:53:38.339695 sonic INFO usermod[18918]: delete 'test' from group 'sudo' Mar 13 22:53:38.339795 sonic INFO usermod[18918]: delete 'test' from group 'admin' Mar 13 22:53:38.339887 sonic INFO usermod[18918]: delete 'test' from shadow group 'sudo' Mar 13 22:53:38.339969 sonic INFO usermod[18918]: delete 'test' from shadow group 'admin' Mar 13 22:53:38.391618 sonic INFO sshd[18902]: Accepted password for test from 10.209.100.117 port 53934 ssh2 The eap.conf file on the RADIUS server must be configured to use 'default_eap_type=peap' (in the eap section) and tunnelling of replies must be enabled for peap via 'use_tunneled_reply = yes' (in the peap section). This will cache attributes for the Access-Accept message.

default_eap_type was configured correctly. Modified use_tunneled_reply but I still see the same issue. When using pap or chap as authtype we are getting correct MPL. Attached logs from last login radius_log.log

Hi, please find the exact config used along with line numbers changed in eap file in the follow-up comment. We have tried this config with at least 2 different freeRADIUS servers and the MPL is sent to the SONiC switch and privilege honoured accordingly in our testing. This is simply a freeRADIUS configuration issue, there is no issue on the SONiC side.

Working freeRADIUS config shared on 3/29/23, there is no SONiC issue based on the analysis, pls reopen if there is anything we missed

sonic-net / sonic-buildimage