Questions about FreeRadius and unsupported characters for secret...
Hi, We have received a number of issues reported by our customers in regards to the secret authentication does not support certain characters in our software released based on FreeRadius v3.0.19. As a result of this, we had done some of our own comparison testing of a bunch of different special characters against both the v3.0.19 and the v2.2.9 releases. We found the following discrepancies, where it appears that there are bugs introduced into v3.0.19. 1. We would like to understand what explanation there is for why they are no longer supported or if a bug was introduced, so we can offer an explanation to our customers. 2. If there is a work-around, would you kindly let us know? 3. Do you know if these issues have been corrected in one of your newer releases? Secret value 8.4 Results (3.0.19) 8.3 Results (2.2.9) Comments testing123, Failed Passed (no quote) Supported in 2.2.9. Not Supported at All in 3.0.19.; not even with correct_escapes = false. radiusd:121302:1679518016.577067:Wed Mar 22 15:46:56 2023: Wed Mar 22 15:46:56 2023 : Info: Dropping packet without response because of error: Received packet from 10.16.167.194 with invalid Message-Authenticator! (Shared secret is incorrect.) testing123; Failed Passed (in single or double quotes or with testing123\;) Supported in 2.2.9. Not Supported at All in 3.0.19. radiusd:121302:1679518016.577067:Wed Mar 22 15:46:56 2023: Wed Mar 22 15:46:56 2023 : Info: Dropping packet without response because of error: Received packet from 10.16.167.194 with invalid Message-Authenticator! (Shared secret is incorrect.) "testing123\054" Failed Passed Supported in 2.2.9. Not Supported at All in 3.0.19. radiusd:151163:1679691163.765497:Fri Mar 24 15:52:43 2023: Fri Mar 24 15:52:43 2023 : Error: /usr/local/forescout/plugin/dot1x/fs_radius/etc/raddb/sites-enabled/default[116]: Invalid regular expression: radiusd:151163:1679691163.765522:Fri Mar 24 15:52:43 2023: Fri Mar 24 15:52:43 2023 : Error: /usr/local/forescout/plugin/dot1x/fs_radius/etc/raddb/sites-enabled/default[116]: ^(.*)\(.*) radiusd:151163:1679691163.765546:Fri Mar 24 15:52:43 2023: Fri Mar 24 15:52:43 2023 : Error: /usr/local/forescout/plugin/dot1x/fs_radius/etc/raddb/sites-enabled/default[116]: ^ Pattern compilation failed: unmatched parentheses ^*B%9vÑStNfx9H Failed Passed Supported in 2.2.9. Not Supported at All in 3.0.19. radiusd:151392:1679933409.952848:Mon Mar 27 11:10:09 2023: Mon Mar 27 11:10:08 2023 : Error: /usr/local/forescout/plugin/dot1x/fs_radius/etc/raddb/fs_clients.conf[19]: Syntax error: Expected comma after '^*B%9v': ÑStNfx9H radiusd:1 Note: The last one seems to be an issue with the accent mark over the N. Thank you in advance for your help! Tammy Dore Sr. Software Engineer Forescout Technologies, Inc. Email: tammy.dore@forescout.com<mailto:tammy.dore@forescout.com> Text: +1-214-403-2010 LinkedIn: https://www.linkedin.com/in/TammyDore/ [cid:image001.png@01D960F9.56EA0200] WARNING - CONFIDENTIAL INFORMATION: ________________________________ This message may contain confidential and privileged information. If it has been sent to you in error, please reply to advise the sender of the error and then immediately delete it. If you are not the intended recipient, do not read, copy, disclose or otherwise use this message. The sender disclaims any liability for such unauthorized use. NOTE that all incoming emails sent to Forescout email accounts will be archived and may be scanned by us and/or by external service providers to detect and prevent threats to our systems, investigate illegal or inappropriate behavior, and/or eliminate unsolicited promotional emails ("spam"). If you have any concerns about this process, please contact us privacy@forescout.com.
On Mar 28, 2023, at 12:36 PM, Tammy Dore via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
We have received a number of issues reported by our customers in regards to the secret authentication does not support certain characters in our software released based on FreeRadius v3.0.19. As a result of this, we had done some of our own comparison testing of a bunch of different special characters against both the v3.0.19 and the v2.2.9 releases.
This was already asked and answered.
We found the following discrepancies, where it appears that there are bugs introduced into v3.0.19.
No. If the shared secret is not [a-zA-Z0-9], you should probably use single-quoted strings, or double-quoted strings. The format of those strings is well documented. Alan DeKok.
participants (2)
-
Alan DeKok -
Tammy Dore