Issues with clients.conf shared secret
For a quick history, I'm currently migrating an old server running Freeradius 1.0.5 on FreeBSD to a new server running Freeradius 3.0.16 on Ubuntu 18.04 (the one available via apt install). We have thousands of clients configured in the clients.conf file with random passwords. But I have found that when I use a combination of a comma (,) and greater than (>) or less than signs (<) in a shared secret, I get an error. I have been able to at least narrow down this combination, but I'm suspecting there are more rules I should be aware of. My question is what special characters are not able to be used with freeradius, or is there an escape method that will work in the shared secret field that will make them work? The less I have to change on end devices the better. I have tried scouring the documents and mailing list, but have not found anything showing special character rules. For a sample of this, here's a clients.conf entry it errors on: client 127.0.0.1 { secret = abc,def<ghi123 shortname = test_sharedsecret } Running freeradius -CX, I get: FreeRADIUS Version 3.0.16 Copyright (C) 1999-2017 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/freeradius/3.0/dictionary including configuration file /etc/freeradius/3.0/radiusd.conf including configuration file /etc/freeradius/3.0/proxy.conf including configuration file /etc/freeradius/3.0/clients.conf /etc/freeradius/3.0/clients.conf[2]: Parse error after "def": unexpected token "<" Thank you! Chris
On Jun 24, 2020, at 2:42 PM, Clos, Chris <cclos@ussignal.com> wrote:
For a quick history, I'm currently migrating an old server running Freeradius 1.0.5 on FreeBSD to a new server running Freeradius 3.0.16 on Ubuntu 18.04 (the one available via apt install).
Wow, that's old.
We have thousands of clients configured in the clients.conf file with random passwords. But I have found that when I use a combination of a comma (,) and greater than (>) or less than signs (<) in a shared secret, I get an error. I have been able to at least narrow down this combination, but I'm suspecting there are more rules I should be aware of.
My question is what special characters are not able to be used with freeradius, or is there an escape method that will work in the shared secret field that will make them work? The less I have to change on end devices the better. I have tried scouring the documents and mailing list, but have not found anything showing special character rules.
You can still use the same shared secret. The issue is that v1 was fairly flexible in what it accepted. v3 is a lot more strict.
For a sample of this, here's a clients.conf entry it errors on:
client 127.0.0.1 { secret = abc,def<ghi123
Just use secret = 'abc,def<ghi123' That way you only have to escape two characters in the secret: ' and \ secret = 'quote\'and backslash\\end' Alan DeKok.
participants (2)
-
Alan DeKok -
Clos, Chris