Date: Mon, 31 May 2021 07:18:13 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256283 Bug ID: 256283 Summary: FreeBSD-SA-21:12.libradius breaks mpd5 when using MS-CHAPv2 Product: Base System Version: 13.0-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: email@example.com This SA breaks mpd5 with MS-CHAPv2. No workaround available but to replace libradius* with pre-SA version. Setup: if there is a dial in server using * mpd5 * external radius server in different jail (freeradius3) * MS-CHAPv2 for authentication (done by freeradius3) authentication succeeds, but mpd5 disconnects immediately because of alleged missing MS-CHAP2-Success attributes. Logging of mpd5 shows: mpd: [L_l2tp] RADIUS: Authenticating user 'username' mpd: [L_l2tp] RADIUS: Rec'd RAD_ACCESS_ACCEPT for user 'username' mpd: [L_l2tp] RADIUS: PANIC no MS-CHAP2-Success received from server! Checking this at freeradius3 server and packet capture show that the attribute indeed exists but seems to be ignored by mpd5/libradius. Replacing libradius on log in server with pre-SA version makes mpd5 work again: mpd: [L_l2tp] RADIUS: Authenticating user 'user' mpd: [L_l2tp] RADIUS: Rec'd RAD_ACCESS_ACCEPT for user 'user' mpd: [L_l2tp] AUTH: RADIUS returned: authenticated mpd: [L_l2tp] CHAP: Auth return status: authenticated mpd: [L_l2tp] CHAP: Reply message: S=XXXXXXXX mpd: [L_l2tp] CHAP: sending SUCCESS #1 len: 46 I haven't found out which part of fix is to be blamed but this situation is rather unpleasant (especially since mpd5 is the main application of libradius). -- You are receiving this mail because: You are the assignee for the bug.