Re: Issues with £ character in passwords

[Alan DeKok]

On Feb 11, 2015, at 8:46 AM, Mark Keyte <Mark.Keyte at lshtm.ac.uk> wrote:
> We have recently noticed that authentication is failing when users are
> using the £ sign character in their password (and also § found on
> macbook keyboards) - it seems to work fine with other characters -
> !"$%^123&*()_+-=[]{};'#:@~,./<>?\| for example.

  i.e. ASCII.

  The problem is a hard one to solve.  The MS-CHAP standards don’t actually say what format the passwords should be in.  So implementations have chosen different paths… not all of which are compatible.

> However as soon as I remove £ sign auth is working fine. 

  Exactly.

> It also works if you use £ rather than just the £ within the password
> when authing from a supplicant (tested with android & Windows)-
> suggesting some kind of encoding issue??.

  It’s an encoding issue.  FreeRADIUS tries to do the right thing, and has been tested with every supplicant out there.  So it *should* work.

> Any thoughts would be appreciated.

  Post some sample passwords to the list.  The one that fails, and the one that works.  As *hex* strings.  Don’t just cut & paste the password.  Mailers *will* modify the password.  They won’t modify a hex string.

  I’ll take a look and see if there’s an issue which can be fixed.

  Alan DeKok.