Authentication with Freeradius fails since upgrade to version >= 3.0.5

Solution Verified - Updated 14 Jun 2024

Environment

freeradius >= 3.0.5

Issue

Since upgrade of Freeradius to version >= 3.0.5 (e.g. freeradius-3.0.13-8.el7_4), authentication fails with message shown below
```
Auth: (0) Invalid user (Rejected: User-Name contains multiple ..s): [xxx]
```
Since upgrade of Freeradius to version >= 3.0.5 (e.g. freeradius-3.0.13-8.el7_4), customized policies do not work anymore

Resolution

Since Freeradius >= 3.0.5 (e.g. freeradius-3.0.13-8.el7_4), a new syntax for the Regex used in the policy rules is used, so that it conforms to the Regex convention.

Check for the Regex syntax currently used in the policy files

Example where the old Regex syntax is used

# grep '\\\\' $(find /etc/raddb/policy.d -type f -print)
/etc/raddb/policy.d/filter:	if (&User-Name && (&User-Name =~ /@|\\/)) {
/etc/raddb/policy.d/filter:	if (&User-Name =~ /\\.\\./ ) {
/etc/raddb/policy.d/filter:	if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))  {
/etc/raddb/policy.d/filter:	if (&User-Name =~ /\\.$/)  {
/etc/raddb/policy.d/filter:	if (&User-Name =~ /@\\./)  {

This example indicates that the /etc/raddb/policy.d/filter has been customized, causing Yum not to update that file. In such case, there should then be a corresponding /etc/raddb/policy.d/filter.rpmnew file.

Example where the new Regex syntax is used (only the following line should be printed out)

# grep '\\\\' $(find /etc/raddb/policy.d -type f -print)
/etc/raddb/policy.d/filter:	if (&User-Name && (&User-Name =~ /@|\\/)) {

If the old Regex syntax is used in some files, it is recommended to update the customized files to the new Regex syntax style
- Example of the old Regex syntax (excerpt from /etc/raddb/policy.d/filter prior to update)
```
if (&User-Name =~ /\\.\\./ ) {
```
- Example of the new Regex syntax (excerpt from /etc/raddb/policy.d/filter after update)
```
if (&User-Name =~ /\.\./ ) {
```
As shown above, the new Regex syntax style doesn't escape backslashes anymore.

Make sure the correct_escapes = true property is set in /etc/raddb/radiusd.conf

Typically, if the /etc/raddb/radiusd.conf has been customized, this caused Yum not to update the file. In such case, there should then be a corresponding /etc/raddb/radiusd.rpmnew file that needs to be merged with the current configuration file.

The property to add is shown below (excerpt from /etc/raddb/radiusd.conf shipped with the package) :

#
#  correct_escapes: use correct backslash escaping
#
#  Prior to version 3.0.5, the handling of backslashes was a little
#  awkward, i.e. "wrong".  In some cases, to get one backslash into
#  a regex, you had to put 4 in the config files.
#
#  Version 3.0.5 fixes that.  However, for backwards compatibility,
#  the new method of escaping is DISABLED BY DEFAULT.  This means
#  that upgrading to 3.0.5 won't break your configuration.
#
#  If you don't have double backslashes (i.e. \\) in your configuration,
#  this won't matter to you.  If you do have them, fix that to use only
#  one backslash, and then set "correct_escapes = true".
#
#  You can check for this by doing:
#
#       $ grep '\\\\' $(find raddb -type f -print)
#
correct_escapes = true

Root Cause

The regex backslash escaping done in freeradius-3.0.4 and before and the one done in freeradius-3.0.5+ (hence freeradius-3.0.13-8 shipped with RHEL7.4) differ. Associated configuration parameter is correct_escapes in freeradius-3.0.5+ and defaults to false for backward compatibility.
This leads to the following
- Upon upgrade, in case /etc/raddb/radiusd.conf has not been modified, the new file will contain correct_escapes = true, which makes freeradius work correctly
- Upon upgrade, in case /etc/raddb/radiusd.conf has been modified, the old file is kept as is and new default configuration file saved as /etc/raddb/radiusd.conf.rpmnew, which makes freeradius behave abnormally:
  - since correct_escapes parameter doesn't exist in old configuration file, correct_escapes defaults to false
  - however other untouched configuration files (e.g. /etc/raddb/policy.d/filter) have been updated with new backslash escaping, which is not understood by freeradius since correct_escapes defaults to false.

SBR

Services

Product(s)

Red Hat Enterprise Linux

Components

freeradius

Category

Upgrade

Tags

rhel_7

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.