Captive Portal RADIUS-Auth Unable to validate credentials at the moment

[Der-Zett]

Describe the bug
We use PackageFence version 11 and authenticate to the CaptivePortal against RADIUS on a Windows Server 2016. PacketFence has not joined the domain and we use ONLY RADIUS as authentication source. Everything worked fine. We have made no ConfigChanges on PacketFence. Since about 4 weeks the login to the Captive Portal is no longer possible. After logging in, the user gets this message:

"Unable to validate credentials at the moment"

BUT: the windows radius-server clearly allows the connection request of the users.

We have the same configuration testet with PacketFence v13 and v14. Allways the same behavior.

These updates for Windows were installed on 30.09.24:
KB5041576
KB5041773
(our security policy does not allow me to uninstall the updates)

On packetfence.log we have this messages:

packetfence_httpd.portal[3821455]: httpd.portal(3821455) INFO: [mac:XXX] Found authentication source(s) : 'RADIUS_PIR-DC01' for realm 'null' (pf::config::util::filter_authentication_sources)
packetfence_httpd.portal[3821455]: httpd.portal(3821455) INFO: [mac:XXX] Authenticating user using sources : RADIUS_PIR-DC01 (captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)
packetfence_httpd.portal[3821455]: httpd.portal(3821455) ERROR: [mac:XXX] Unable to perform RADIUS authentication on any server: EBADAUTH (pf::Authentication::Source::RADIUSSource::_handle_radius_request)

I have analyzed the network traffic with Wireshark and everything works fine:

18	23.041211	1xx.xxx.xxx.2	1xx.xxx.xxx.13	RADIUS	98	Access-Request id=157
19	23.047808	1xx.xxx.xxx.13	1xx.xxx.xxx.2	RADIUS	162	Access-Accept id=157

I used

/usr/local/pf/bin/pftest authentication KNOWN_USER KNOWN_PASS

and the correct authentication source is also resolved, but the same error message appears:

Authenticating against 'RADIUS_PIR-DC01' in context 'portal'
  Authentication FAILED against RADIUS_PIR-DC01 (Unable to validate credentials at the moment) <--- same error as on WebUI
  Matched against RADIUS_PIR-DC01 for 'authentication' rule Default_Settings
    set_role : default
    set_access_duration : 12h
  Did not match against RADIUS_PIR-DC01 for 'administration' rules

I also used radtest and this works fine:

radtest KNOWN_USER $PASS 1xx.xxx.xxx.xx3:1812 12 $SECRET
Sent Access-Request Id 21 from 0.0.0.0:42889 to 1xx.xxx.xxx.xx3:1812 length 80
        User-Name = "KNOWN_USER"
        User-Password = "XXXX"
        NAS-IP-Address = 1xx.xxx.xxx.xx4
        NAS-Port = 12
        Message-Authenticator = 0x00
        Cleartext-Password = "XXXX"
Received Access-Accept Id 21 from 1xx.xxx.xxx.xx3:1812 to 1xx.xxx.xxx.xx2:42889 length 120
        Message-Authenticator = 0x13585da32f9544affb8a77ceb4fb07a9
        Framed-Protocol = PPP
        Service-Type = Framed-User
        Class = 0x7d8107b20000013700010200c0a809e300000000000000000000000001db1383afea5425000000000004a9f1
        MS-Link-Utilization-Threshold = 50
        MS-Link-Drop-Time-Limit = 120

I suspect the problem is with the RADIUS response from the Windows server. Access is allowed, but PacketFence does not process the response properly.

The error is reported in this routine:

/usr/local/pf/lib/pf/Authentication/Source/RADIUSSource.pm
...
sub _handle_radius_request {
    my ($self, $radius, $result) = @_;
    my $logger = get_logger();
    if ($radius->get_error() ne $RADIUS_ERROR_NONE) { <<-- here is the error reported
        $logger->error("Unable to perform  RADIUS authentication on any server: " . Authen::Radius::get_error());
        return ($FALSE, $COMMUNICATION_ERROR_MSG);
    }
    if ($result == ACCESS_ACCEPT) {
        return ($TRUE, $AUTH_SUCCESS_MSG, $self->_fetch_attributes($result, $radius));
    }
    elsif ($result == ACCESS_CHALLENGE) {
        return ($LOGIN_CHALLENGE, $self->_make_challenge_data($result, $radius));
    }
    return ($FALSE, $AUTH_FAIL_MSG);
}
...

How can I solve the problem or better narrow it down? Does anyone have a good idea?