Issues with £ character in passwords
Mark Keyte
Mark.Keyte at lshtm.ac.uk
Wed Feb 11 14:46:03 CET 2015
Hi
We have been running Freeradius with 802.1x (peap-mschapv2) against
edirectory authentication for a number of years. Currently running on
sles 11 sp3 - freeradius-server-2.2.5-11.1 - but I have tested with
older freeradius package that ships with SLES 11 SP3.
Setup similar to
https://www.novell.com/support/kb/doc.php?id=7009035
We have recently noticed that authentication is failing when users are
using the £ sign character in their password (and also § found on
macbook keyboards) - it seems to work fine with other characters -
!"$%^123&*()_+-=[]{};'#:@~,./<>?\| for example.
What I see in logs is
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +group MS-CHAP {
[mschap] Creating challenge hash with username: lsxtestaas at lshtm.ac.uk
[mschap] Client is using MS-CHAPv2 for lsxtestaas at lshtm.ac.uk, we need
NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] = reject
However as soon as I remove £ sign auth is working fine.
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
Login OK: [lsxtestaas at lshtm.ac.uk] (from client aruba port 0 cli
C48508CCE903 via TLS tunnel)
It also works if you use £ rather than just the £ within the password
when authing from a supplicant (tested with android & Windows)-
suggesting some kind of encoding issue??. The cleartext password
returned from eDirectory seems fine.
[ldap] Added the eDirectory password ****£**** in check items as
Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
Any thoughts would be appreciated.
Thanks
Mark
More information about the Freeradius-Users
mailing list