Page MenuHomeVyOS Platform

RADIUS authentication users do not work
In progress, Urgent!PublicBUG

Description

RADIUS authentication users do not work

set system login radius server 192.168.122.14 key 'vyos-secret'

RADIUS configuration:
clients

client ALL-DEVICES {
    secret = vyos-secret
    nastype = other
    ipaddr = 0.0.0.0/0
}

users

# User configuration
adminuser   Cleartext-Password := "vyos"
            Service-Type = NAS-Prompt-User,
            Cisco-AVPair = "shell:priv-lvl=15"

ro          Cleartext-Password := "vyos"
            Service-Type = NAS-Prompt-User,
            Cisco-AVPair = "shell:priv-lvl=1"

Log:

Jan 06 17:02:42 r14 sshd[5642]: Invalid user adminuser from 192.168.122.1 port 32782
Jan 06 17:02:44 r14 sshd[5642]: pam_unix(sshd:auth): check pass; user unknown
Jan 06 17:02:44 r14 sshd[5642]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.122.1
Jan 06 17:02:46 r14 sshd[5642]: Failed password for invalid user adminuser from 192.168.122.1 port 32782 ssh2

Jan 06 17:03:27 r14 sshd[5650]: Invalid user ro from 192.168.122.1 port 51042
Jan 06 17:03:30 r14 sshd[5650]: pam_unix(sshd:auth): check pass; user unknown
Jan 06 17:03:30 r14 sshd[5650]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.122.1
Jan 06 17:03:31 r14 sshd[5650]: Failed password for invalid user ro from 192.168.122.1 port 51042 ssh2

RADIUS server logs:

⁣Mon Jan  6 15:02:43 2025 : Auth: (19) Login incorrect (pap: Cleartext password does not match "known good" password): [adminuser/?  ?] (from client ALL-DEVICES port 5642 cli 192.168.122.1)
⁣Mon Jan  6 15:03:29 2025 : Auth: (20) Login incorrect (pap: Cleartext password does not match "known good" password): [ro/?  ?] (from client ALL-DEVICES port 5650 cli 192.168.122.1)

For the rolling ssh works fine on the same RADIUS server:

Jan 06 15:05:27 vpp-left sshd[7753]: Accepted password for adminuser from 192.168.122.1 port 60174 ssh2
Jan 06 15:05:27 vpp-left sshd[7753]: pam_unix(sshd:session): session opened for user adminuser(uid=1001) by (uid=0)
Jan 06 15:05:27 vpp-left systemd-logind[861]: New session 18 of user adminuser.
Jan 06 15:05:27 vpp-left systemd[1]: Started session-18.scope - Session 18 of User adminuser.
Jan 06 15:05:27 vpp-left systemd[1]: opt-vyatta-config-tmp-new_config_7757.mount: Deactivated successfully.
Jan 06 15:05:27 vpp-left sshd[7753]: pam_env(sshd:session): deprecated reading of user environment enabled

Details

Version
1.4.1
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)