Closed ycoheNvidia closed 1 year ago
SONiC Software Version: SONiC.202211_RC7.1-a99614f41_Internal
Distribution: Debian 11.6
Kernel: 5.10.0-18-2-amd64
Build commit: a99614f41
Build date: Sun Mar 5 18:03:39 UTC 2023
Built by: sw-r2d2-bot@r-build-sonic-ci03-243
Platform: x86_64-mlnx_msn4600c-r0
HwSKU: ACS-MSN4600C
ASIC: mellanox
ASIC Count: 1
Serial Number: MT2140X00042
Model Number: MSN4600-CS2FO_QP
Hardware Revision: A1
Uptime: 23:22:21 up 45 min, 1 user, load average: 0.33, 0.27, 0.31
Date: Mon 13 Mar 2023 23:22:21
sonic_dump_qa-eth-vt03-1-4600ca1_20230313_225348.tar.gz freeradius.log auth.log CLI output.txt
Hi,
The logs attached to the issue indicate that the RADIUS server never sent the MPL attribute as a part of the Access-Accept message.
Freeradius.log: 8) } # post-auth = noop (8) Sent Access-Accept Id 152 from 1.0.0.1:1812 to 1.0.0.2:36646 length 0 (8) MS-MPPE-Recv-Key = 0x86428b2a9313d93d570c6b0fc32fdaa1b204eede876a623f4f195737dc22d053 (8) MS-MPPE-Send-Key = 0xd6e828c1f862e0dfa08ef4d4cf65fffce32f950c6b376cc1ee106dbd905edbf1 (8) EAP-Message = 0x03da0004 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) User-Name = "test" (8) Finished request Waking up in 4.9 seconds.
auth.log:
Mar 13 22:53:38.326708 sonic DEBUG sshd[18902]: pam_radius_auth: pam_peap_authenticate: Copying the response Mar 13 22:53:38.326793 sonic DEBUG sshd[18902]: pam_radius_auth: #012pam_peap_authenticate:Authenticated Successfully > Bye... Mar 13 22:53:38.326876 sonic DEBUG sshd[18902]: pam_radius_auth: talk_radius: PEAP authentication successful Mar 13 22:53:38.326961 sonic ERR sshd[18902]: pam_radius_auth: RADIUS Access-Accept received with Management-Privilege-Level missing Mar 13 22:53:38.331756 sonic INFO /usr/sbin/cache_radius[18916]: /usr/sbin/cache_radius: Missing or bad Privilege in environment:"" Mar 13 22:53:38.331879 sonic INFO /usr/sbin/cache_radius[18916]: /usr/sbin/cache_radius: MPL 1 updated for user test Mar 13 22:53:38.331967 sonic INFO /usr/sbin/cache_radius[18916]: /usr/sbin/cache_radius: Adjusting Supplementary Groups for "test" Mar 13 22:53:38.339695 sonic INFO usermod[18918]: delete 'test' from group 'sudo' Mar 13 22:53:38.339795 sonic INFO usermod[18918]: delete 'test' from group 'admin' Mar 13 22:53:38.339887 sonic INFO usermod[18918]: delete 'test' from shadow group 'sudo' Mar 13 22:53:38.339969 sonic INFO usermod[18918]: delete 'test' from shadow group 'admin' Mar 13 22:53:38.391618 sonic INFO sshd[18902]: Accepted password for test from 10.209.100.117 port 53934 ssh2
The eap.conf file on the RADIUS server must be configured to use 'default_eap_type=peap' (in the eap section) and tunnelling of replies must be enabled for peap via 'use_tunneled_reply = yes' (in the peap section). This will cache attributes for the Access-Accept message.
Hi,
The logs attached to the issue indicate that the RADIUS server never sent the MPL attribute as a part of the Access-Accept message.
Freeradius.log: 8) } # post-auth = noop (8) Sent Access-Accept Id 152 from 1.0.0.1:1812 to 1.0.0.2:36646 length 0 (8) MS-MPPE-Recv-Key = 0x86428b2a9313d93d570c6b0fc32fdaa1b204eede876a623f4f195737dc22d053 (8) MS-MPPE-Send-Key = 0xd6e828c1f862e0dfa08ef4d4cf65fffce32f950c6b376cc1ee106dbd905edbf1 (8) EAP-Message = 0x03da0004 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) User-Name = "test" (8) Finished request Waking up in 4.9 seconds.
auth.log:
Mar 13 22:53:38.326708 sonic DEBUG sshd[18902]: pam_radius_auth: pam_peap_authenticate: Copying the response Mar 13 22:53:38.326793 sonic DEBUG sshd[18902]: pam_radius_auth: #012pam_peap_authenticate:Authenticated Successfully > Bye... Mar 13 22:53:38.326876 sonic DEBUG sshd[18902]: pam_radius_auth: talk_radius: PEAP authentication successful Mar 13 22:53:38.326961 sonic ERR sshd[18902]: pam_radius_auth: RADIUS Access-Accept received with Management-Privilege-Level missing Mar 13 22:53:38.331756 sonic INFO /usr/sbin/cache_radius[18916]: /usr/sbin/cache_radius: Missing or bad Privilege in environment:"" Mar 13 22:53:38.331879 sonic INFO /usr/sbin/cache_radius[18916]: /usr/sbin/cache_radius: MPL 1 updated for user test Mar 13 22:53:38.331967 sonic INFO /usr/sbin/cache_radius[18916]: /usr/sbin/cache_radius: Adjusting Supplementary Groups for "test" Mar 13 22:53:38.339695 sonic INFO usermod[18918]: delete 'test' from group 'sudo' Mar 13 22:53:38.339795 sonic INFO usermod[18918]: delete 'test' from group 'admin' Mar 13 22:53:38.339887 sonic INFO usermod[18918]: delete 'test' from shadow group 'sudo' Mar 13 22:53:38.339969 sonic INFO usermod[18918]: delete 'test' from shadow group 'admin' Mar 13 22:53:38.391618 sonic INFO sshd[18902]: Accepted password for test from 10.209.100.117 port 53934 ssh2
The eap.conf file on the RADIUS server must be configured to use 'default_eap_type=peap' (in the eap section) and tunnelling of replies must be enabled for peap via 'use_tunneled_reply = yes' (in the peap section). This will cache attributes for the Access-Accept message.
default_eap_type was configured correctly. Modified use_tunneled_reply but I still see the same issue. When using pap or chap as authtype we are getting correct MPL. Attached logs from last login radius_log.log
I've tried with 2 different RADIUS servers, and with only the configuration change provided at the end of this comment, I see MPL being sent in the Access-Accept message.
RADIUS server:
Wed Mar 29 16:27:49 2023 : Auth: (44) Login OK: [test1/
Switch:
[sd938894@lvnvdb3393:~ ] $ ssh test1@10.59.139.64 test1@10.59.139.64's password: Linux leaf4 5.10.0-18-2-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64 ... Last login: Tue Aug 9 14:53:04 2022 from 10.75.221.92 test1@leaf4:~$ id uid=1004(test1) gid=1004(test1) groups=1004(test1),27(sudo),999(docker),1000(admin)
RADIUS server config:
/etc/freeradius/3.0/mods-available/eap:
27 #default_eap_type = md5 28 default_eap_type = peap
740 #use_tunneled_reply = no 741 use_tunneled_reply = yes
846 #use_tunneled_reply = no 847 use_tunneled_reply = yes
root@app-ibn-csg-02:/etc/freeradius/3.0# freeradius -v radiusd: FreeRADIUS Version 3.0.20, for host x86_64-pc-linux-gnu, built on Jan 25 2020 at 06:11:13 FreeRADIUS Version 3.0.20
@adyeung do you have any ETA for the fix? Just to understand the plan and align internally
I've tried with 2 different RADIUS servers, and with only the configuration change provided at the end of this comment, I see MPL being sent in the Access-Accept message.
RADIUS server:
Wed Mar 29 16:27:49 2023 : Auth: (44) Login OK: [test1/] (from client 10.59.142.242/20 port 0) Wed Mar 29 16:27:49 2023 : Debug: (44) Sent Access-Accept Id 152 from 10.89.17.48:1812 to 10.59.139.64:48611 length 0 Wed Mar 29 16:27:49 2023 : Debug: (44) Management-Privilege-Level = 15 Wed Mar 29 16:27:49 2023 : Debug: (44) User-Name = "test1" Wed Mar 29 16:27:49 2023 : Debug: (44) MS-MPPE-Recv-Key = 0xd28beeef55b1d94a520e983e2d02c984a75c0baa26b0781f6f88ec5058e57391 Wed Mar 29 16:27:49 2023 : Debug: (44) MS-MPPE-Send-Key = 0x868274bed820952c59367b4c4419255b65bcca3d8c9198fbf535fc28c63b33c8 Wed Mar 29 16:27:49 2023 : Debug: (44) EAP-Message = 0x03da0004 Wed Mar 29 16:27:49 2023 : Debug: (44) Message-Authenticator = 0x00000000000000000000000000000000 Wed Mar 29 16:27:49 2023 : Debug: (44) Finished request
Switch:
[sd938894@lvnvdb3393:~ ] $ ssh test1@10.59.139.64 test1@10.59.139.64's password: Linux leaf4 5.10.0-18-2-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64 ... Last login: Tue Aug 9 14:53:04 2022 from 10.75.221.92 test1@leaf4:~$ id uid=1004(test1) gid=1004(test1) groups=1004(test1),27(sudo),999(docker),1000(admin)
RADIUS server config:
/etc/freeradius/3.0/mods-available/eap:
27 #default_eap_type = md5 28 default_eap_type = peap
740 #use_tunneled_reply = no 741 use_tunneled_reply = yes
846 #use_tunneled_reply = no 847 use_tunneled_reply = yes
root@app-ibn-csg-02:/etc/freeradius/3.0# freeradius -v radiusd: FreeRADIUS Version 3.0.20, for host x86_64-pc-linux-gnu, built on Jan 25 2020 at 06:11:13 FreeRADIUS Version 3.0.20
Hi, The logs attached to the issue indicate that the RADIUS server never sent the MPL attribute as a part of the Access-Accept message. Freeradius.log: 8) } # post-auth = noop (8) Sent Access-Accept Id 152 from 1.0.0.1:1812 to 1.0.0.2:36646 length 0 (8) MS-MPPE-Recv-Key = 0x86428b2a9313d93d570c6b0fc32fdaa1b204eede876a623f4f195737dc22d053 (8) MS-MPPE-Send-Key = 0xd6e828c1f862e0dfa08ef4d4cf65fffce32f950c6b376cc1ee106dbd905edbf1 (8) EAP-Message = 0x03da0004 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) User-Name = "test" (8) Finished request Waking up in 4.9 seconds. auth.log: Mar 13 22:53:38.326708 sonic DEBUG sshd[18902]: pam_radius_auth: pam_peap_authenticate: Copying the response Mar 13 22:53:38.326793 sonic DEBUG sshd[18902]: pam_radius_auth: #012pam_peap_authenticate:Authenticated Successfully > Bye... Mar 13 22:53:38.326876 sonic DEBUG sshd[18902]: pam_radius_auth: talk_radius: PEAP authentication successful Mar 13 22:53:38.326961 sonic ERR sshd[18902]: pam_radius_auth: RADIUS Access-Accept received with Management-Privilege-Level missing Mar 13 22:53:38.331756 sonic INFO /usr/sbin/cache_radius[18916]: /usr/sbin/cache_radius: Missing or bad Privilege in environment:"" Mar 13 22:53:38.331879 sonic INFO /usr/sbin/cache_radius[18916]: /usr/sbin/cache_radius: MPL 1 updated for user test Mar 13 22:53:38.331967 sonic INFO /usr/sbin/cache_radius[18916]: /usr/sbin/cache_radius: Adjusting Supplementary Groups for "test" Mar 13 22:53:38.339695 sonic INFO usermod[18918]: delete 'test' from group 'sudo' Mar 13 22:53:38.339795 sonic INFO usermod[18918]: delete 'test' from group 'admin' Mar 13 22:53:38.339887 sonic INFO usermod[18918]: delete 'test' from shadow group 'sudo' Mar 13 22:53:38.339969 sonic INFO usermod[18918]: delete 'test' from shadow group 'admin' Mar 13 22:53:38.391618 sonic INFO sshd[18902]: Accepted password for test from 10.209.100.117 port 53934 ssh2 The eap.conf file on the RADIUS server must be configured to use 'default_eap_type=peap' (in the eap section) and tunnelling of replies must be enabled for peap via 'use_tunneled_reply = yes' (in the peap section). This will cache attributes for the Access-Accept message.
default_eap_type was configured correctly. Modified use_tunneled_reply but I still see the same issue. When using pap or chap as authtype we are getting correct MPL. Attached logs from last login radius_log.log
Hi, please find the exact config used along with line numbers changed in eap file in the follow-up comment. We have tried this config with at least 2 different freeRADIUS servers and the MPL is sent to the SONiC switch and privilege honoured accordingly in our testing. This is simply a freeRADIUS configuration issue, there is no issue on the SONiC side.
Working freeRADIUS config shared on 3/29/23, there is no SONiC issue based on the analysis, pls reopen if there is anything we missed
Description
Using radius to authenticate, with mschapv2 as authentication type, user connected does not receive the MPL defined in the RADIUS server, but gets the default non-privilege user settings (MPL=1)
Steps to reproduce the issue:
Describe the results you received:
Using mschapv2 user is not part of configured MPL and does not have the right privileges
Describe the results you expected:
We expect user authenticated with RADIUS server and mschapv2 as authtype to have the MPL as configured and the privileges attached to it as well
Output of
show version
:Distribution: Debian 11.6 Kernel: 5.10.0-12-2-amd64 Build commit: 5be434a7b Build date: Tue Feb 28 14:11:27 UTC 2023
Output of
show techsupport
:Additional information you deem important (e.g. issue happens only occasionally):