So, after working on our puzzling issue, we have found the root cause of chap failing instance: Our equipment vendor is putting this in the end device 4867467528286D35655B523F585C5359. But freeradius needs to see this value: HgFu((m5e[R?X\\SY. This value is the "Escaped" value of the above hex. In the radius db we have the hex value stored like this: 4867467528286D35655B523F585C5359. Are there any suggestions on how we could easily convert this to the 'Escaped' value either with SQL changes or writing a perl plugin or something else that we have missed? Here is how it can be converted in Postgres: # select encode(E'\\x4867467528286D35655B523F585C5359','escape'); encode ------------------- HgFu((m5e[R?X\\SY (1 row) Any suggestions? One idea I have is to change the SQL select statement FR uses, at least if we find one that works right... -- regards, Joseph
Joseph Showalter wrote:
So, after working on our puzzling issue, we have found the root cause of chap failing instance:
Our equipment vendor is putting this in the end device 4867467528286D35655B523F585C5359.
But freeradius needs to see this value: HgFu((m5e[R?X\\SY.
That's pretty much what I expected. For the record, the vendor is wrong. They should either accept printable ASCII passwords, or make it clear that the password is a binary string.
This value is the "Escaped" value of the above hex.
In the radius db we have the hex value stored like this: 4867467528286D35655B523F585C5359.
Are there any suggestions on how we could easily convert this to the 'Escaped' value either with SQL changes or writing a perl plugin or something else that we have missed?
You will need to use version 3. update { Tmp-Octets-0 := 0x4867467528286D35655B523F585C5359 reply:Filter-Id := &Tmp-Octets-0 } ... rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=81, length=38 Filter-Id = "HgFu((m5e[R?X\\SY" i.e. put the hex values into an "octets" type attribute. You'll need to prefix it with "0x", in order to get it parsed correctly. Then, assign it to a "string" attribute (e.g. Cleartext-Password), via the "&" operator. Unfortunately, version 2 doesn't support this functionality. In that version, you'll need to use Perl to do the translation. Alan DeKok.
On Apr 15, 2014, at 4:30 PM, Alan DeKok <aland@deployingradius.com> wrote:
Joseph Showalter wrote:
So, after working on our puzzling issue, we have found the root cause of chap failing instance:
Our equipment vendor is putting this in the end device 4867467528286D35655B523F585C5359.
But freeradius needs to see this value: HgFu((m5e[R?X\\SY.
That's pretty much what I expected. For the record, the vendor is wrong. They should either accept printable ASCII passwords, or make it clear that the password is a binary string.
This value is the "Escaped" value of the above hex.
In the radius db we have the hex value stored like this: 4867467528286D35655B523F585C5359.
Are there any suggestions on how we could easily convert this to the 'Escaped' value either with SQL changes or writing a perl plugin or something else that we have missed?
You will need to use version 3.
update { Tmp-Octets-0 := 0x4867467528286D35655B523F585C5359 reply:Filter-Id := &Tmp-Octets-0 }
So, if we prefixed the hex password with 0x via the sql, or do a db update, how would this look in the FR config: And used version 3 of course... update { Tmp-Octets-0 := < what would good here? > reply:Filter-Id := &Tmp-Octets-0 }
...
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=81, length=38 Filter-Id = "HgFu((m5e[R?X\\SY"
i.e. put the hex values into an "octets" type attribute. You'll need to prefix it with "0x", in order to get it parsed correctly.
Then, assign it to a "string" attribute (e.g. Cleartext-Password), via the "&" operator.
Unfortunately, version 2 doesn't support this functionality. In that version, you'll need to use Perl to do the translation.
Do you have any starter tips on how to hook perl in? Would you recommend rlm_perl or could this be done with a re-write module?
Alan DeKok.
-- regards, Joseph
Joseph Showalter wrote:
So, if we prefixed the hex password with 0x via the sql, or do a db update, how would this look in the FR config: And used version 3 of course...
update { Tmp-Octets-0 := < what would good here? >
A string expansion. Tmp-Octets-0 := "0x%{sql: SELECT ...}" Have the SQL SELECT statement return the password.
Do you have any starter tips on how to hook perl in?
raddb/modules/perl, and example.pl
Would you recommend rlm_perl or could this be done with a re-write module?
It can't be done with the rewrite module. Alan DeKok.
participants (2)
-
Alan DeKok -
Joseph Showalter