Sometimes passwords are coming in with junk

Sam T givemesam at
Sat Nov 10 01:09:20 CET 2018

Thanks so much for the commentary on this!

We found it! It looked a lot like changing shared secrets, but we found
that there was some kind of timer on the NAS that would change the
decryption every X min to prevent brute force, making the browser or
intermediary breaking the decrypt/encrypt sync if you dont log in fast
enough, it was very low. (1 min), after a fail, it would then refresh it,
and it would accept. We moved that time up to 100 min and you are right,
Free radius does it right, every time!

For the WWW, 'failed authentication block' is what it was called, and set
it to something above 10 min so users can get logged in before their
decryption changes. the documentation we had did not say that was the way
it handled brute force prevention, and im not sure it is even a good way of
doing brute force prevention as it is still sending the junked password up
to radius.

We did some pcap'ing yesterday, and also looked at what the NAS was sending
up and out the bad info vs blocking it as to what that setting leads us to
beleive, and saw the scramble was originating locally.


On Fri, Nov 9, 2018 at 10:05 AM Arran Cudbard-Bell <
a.cudbardb at> wrote:

> > On Nov 9, 2018, at 12:58 PM, Arran Cudbard-Bell <
> a.cudbardb at> wrote:
> >
> >
> >
> >> On Nov 7, 2018, at 4:47 PM, Sam T <givemesam at> wrote:
> >>
> >> Hi!
> >>
> >> We are getting close to a workable solution with freeradius!
> >>
> >> When running freeradius in debug mode we can see that sometimes it
> comes in
> >> correctly, and other times in some kind of junky value.
> >
> > The shared secret is wrong.  If your NAS supports Message-Authenticator,
> enable it and FreeRADIUS will tell you that the shared secret is wrong.
> The other things it could be are an intermediary proxy, not
> decrypting/re-encrypting the password value correctly.
> Bytes being overwritten in the message authenticator.  Bytes being
> overwritten in the User-Password attributes.
> Packets coming from different source IPs (with different shared secrets).
> Uninitialised memory in the RADIUS client screwing up the encryption, etc..
> Use radsniff with captured packets and pass -s to verify it's not a client
> lookup issue.
> Send packets directly if you're using a proxy.
> Verify PCAPs on the NAS and RADIUS server have the same content.
> -Arran
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list