[Bug 256283] FreeBSD-SA-21:12.libradius breaks mpd5 when using MS-CHAPv2

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 31 May 2021 07:18:13 UTC

            Bug ID: 256283
           Summary: FreeBSD-SA-21:12.libradius breaks mpd5 when using
           Product: Base System
           Version: 13.0-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: topical@gmx.net

This SA breaks mpd5 with MS-CHAPv2. 

No workaround available but to replace libradius* with pre-SA version.

Setup: if there is a dial in server using

  * mpd5
  * external radius server in different jail (freeradius3)
  * MS-CHAPv2 for authentication (done by freeradius3)

authentication succeeds, but mpd5 disconnects immediately because of alleged
missing MS-CHAP2-Success attributes.

Logging of mpd5 shows:

   mpd[10012]: [L_l2tp] RADIUS: Authenticating user 'username'
   mpd[10012]: [L_l2tp] RADIUS: Rec'd RAD_ACCESS_ACCEPT for user 'username'
   mpd[10012]: [L_l2tp]  RADIUS: PANIC no MS-CHAP2-Success received from

Checking this at freeradius3 server and packet capture show that the attribute
indeed exists but seems to be ignored by mpd5/libradius.

Replacing libradius on log in server with pre-SA version makes mpd5 work again:

   mpd[96202]: [L_l2tp] RADIUS: Authenticating user 'user'
   mpd[96202]: [L_l2tp] RADIUS: Rec'd RAD_ACCESS_ACCEPT for user 'user'
   mpd[96202]: [L_l2tp] AUTH: RADIUS returned: authenticated
   mpd[96202]: [L_l2tp] CHAP: Auth return status: authenticated
   mpd[96202]: [L_l2tp] CHAP: Reply message: S=XXXXXXXX
   mpd[96202]: [L_l2tp] CHAP: sending SUCCESS #1 len: 46

I haven't found out which part of fix is to be blamed but this situation is
rather unpleasant (especially since mpd5 is the main application of libradius).

You are receiving this mail because:
You are the assignee for the bug.