Problem with character Ä in username/password
Hi, There seems to be a problem if the username/password contain the character Ä, when trying to authenticate via freeradius. rad_recv: Access-Request packet from host 127.0.0.1:33292, id=245, length=98 User-Name = "\303\251\303\242\303\244\303\245\303\247\303\252\303\250\303\257\303\256\303\254\303\204\303\246\303\264\303\262\303\273" User-Password = "\222\023S~\345v\322\250\207\216\261\206\242J\301\301\251\006\233\026N\374\014\213\036c\022'\220\r\370\210" NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "éâäåçêëèïîì@?æôòû", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_unix: [éâäåçêëèïîì@?æôòû]: invalid password modcall[authenticate]: module "unix" returns reject for request 1 modcall: leaving group authenticate (returns reject) for request 1 auth: Failed to validate the user. WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- I am using version 1.1.0 on Ubuntu Does anyone know of a workaround or solution to this. Thanks in advance. V~ --- Vinodh Velusamy Software Engineer Ubizen - a Cybertrust company Ubicenter, Philipssite 5, 3001 Leuven, Belgium T: +32 16 28 73 14 F: +32 16 28 71 00 E-mail: vinodh.velusamy@ubizen.com www.ubizen.com - www.cybertrust.com
"Velusamy, Vinodh" <vinodh.velusamy@ubizen.com> wrote:
There seems to be a problem if the username/password contain the character Ä, when trying to authenticate via freeradius.
No, go back and read the output again:
rad_recv: Access-Request packet from host 127.0.0.1:33292, id=245, length=98 User-Name = "\303\251\303\242\303\244\303\245\303\247\303\252\303\250\303\257\303\256\303\254\303\204\303\246\303\264\303\262\303\273" User-Password = "\222\023S~\345v\322\250\207\216\261\206\242J\301\301\251\006\233\026N\374\014\213\036c\022'\220\r\370\210"
That's the real contents of the packet. The '?' is printed simply because it replaces a non-ASCII character. Are you sending the server UTF-8 strings in the User-Name? What client are you using? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alan, Thanks for your response. I am using the radius server to authenticate a web-application using browser usernam/password authentication. Here is the debug info when trying to authenticate an ordinary user Vinodh/vinodh which works perfectly!! : Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 7 ID 99 with timestamp 44e57654 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.0.203.118:1026, id=97, length=72 User-Name = "Vinodh" User-Password = "vinodh" Service-Type = Authenticate-Only NAS-Identifier = "10.0.203.118" NAS-IP-Address = 10.0.203.118 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_realm: No '@' in User-Name = "Vinodh", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 8 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 8 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 8 modcall: leaving group authorize (returns ok) for request 8 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 modcall[authenticate]: module "unix" returns ok for request 8 modcall: leaving group authenticate (returns ok) for request 8 Sending Access-Accept of id 97 to 10.0.203.118 port 1026 Finished request 8 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 8 ID 97 with timestamp 44e57662 Nothing to do. Sleeping until we see a request. I have a setup in FreeRADIUS 0.5 where éâäåçêëèïîìÄæôòû/éâäåçêëèïîìÄæôòû seems to work. I am quite sure it is probably some configuration issue, but am not able to figure out where the issue is. Any help to resolve this is appreciated. Thanks. V~ --- Vinodh Velusamy Software Engineer Ubizen - a Cybertrust company Ubicenter, Philipssite 5, 3001 Leuven, Belgium T: +32 16 28 73 14 F: +32 16 28 71 00 E-mail: vinodh.velusamy@ubizen.com www.ubizen.com - www.cybertrust.com -----Original Message----- From: freeradius-users-bounces+vinodh.velusamy=ubizen.com@lists.freeradius.org [mailto:freeradius-users-bounces+vinodh.velusamy=ubizen.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Thursday, August 17, 2006 7:26 PM To: FreeRadius users mailing list Subject: Re: Problem with character Ä in username/password "Velusamy, Vinodh" <vinodh.velusamy@ubizen.com> wrote:
There seems to be a problem if the username/password contain the character Ä, when trying to authenticate via freeradius.
No, go back and read the output again:
rad_recv: Access-Request packet from host 127.0.0.1:33292, id=245, length=98 User-Name = "\303\251\303\242\303\244\303\245\303\247\303\252\303\250\303\257\303\256\303\254\303\204\303\246\303\264\303\262\303\273" User-Password = "\222\023S~\345v\322\250\207\216\261\206\242J\301\301\251\006\233\026N\374\014\213\036c\022'\220\r\370\210"
That's the real contents of the packet. The '?' is printed simply because it replaces a non-ASCII character. Are you sending the server UTF-8 strings in the User-Name? What client are you using? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"Velusamy, Vinodh" <vinodh.velusamy@ubizen.com> wrote:
Thanks for your response. I am using the radius server to authenticate a web-application using browser usernam/password authentication. Here is the debug info when trying to authenticate an ordinary user Vinodh/vinodh which works perfectly!! :
So... you didn't answer my question, and instead talked about something else that doesn't have a problem. How you you expect me to help you? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alan, Sorry for the misunderstanding. We are using the mod_auth_radius, the RADIUS authentication module for the Apache webserver version 1.5.2 for apache 1.3 that you have developed. --- Vinodh Velusamy Software Engineer Ubizen - a Cybertrust company Ubicenter, Philipssite 5, 3001 Leuven, Belgium T: +32 16 28 73 14 F: +32 16 28 71 00 E-mail: vinodh.velusamy@ubizen.com www.ubizen.com - www.cybertrust.com -----Original Message----- From: freeradius-users-bounces+vinodh.velusamy=ubizen.com@lists.freeradius.org [mailto:freeradius-users-bounces+vinodh.velusamy=ubizen.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Friday, August 18, 2006 6:30 PM To: FreeRadius users mailing list Subject: Re: RE: Problem with character Ä in username/password "Velusamy, Vinodh" <vinodh.velusamy@ubizen.com> wrote:
Thanks for your response. I am using the radius server to authenticate a web-application using browser usernam/password authentication. Here is the debug info when trying to authenticate an ordinary user Vinodh/vinodh which works perfectly!! :
So... you didn't answer my question, and instead talked about something else that doesn't have a problem. How you you expect me to help you? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan, Sorry for troubling you, but could you please help me out with this? We are using the mod_auth_radius, the RADIUS authentication module for the Apache webserver version 1.5.2 for apache 1.3 that you have developed. If you need any other info I will try my best to provide it. --- Vinodh Velusamy Software Engineer Ubizen - a Cybertrust company Ubicenter, Philipssite 5, 3001 Leuven, Belgium T: +32 16 28 73 14 F: +32 16 28 71 00 E-mail: vinodh.velusamy@ubizen.com www.ubizen.com - www.cybertrust.com -----Original Message----- From: freeradius-users-bounces+vinodh.velusamy=ubizen.com@lists.freeradius.org [mailto:freeradius-users-bounces+vinodh.velusamy=ubizen.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Friday, August 18, 2006 6:30 PM To: FreeRadius users mailing list Subject: Re: RE: Problem with character Ä in username/password "Velusamy, Vinodh" <vinodh.velusamy@ubizen.com> wrote:
Thanks for your response. I am using the radius server to authenticate a web-application using browser usernam/password authentication. Here is the debug info when trying to authenticate an ordinary user Vinodh/vinodh which works perfectly!! :
So... you didn't answer my question, and instead talked about something else that doesn't have a problem. How you you expect me to help you? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"Velusamy, Vinodh" <vinodh.velusamy@ubizen.com> wrote:
Sorry for troubling you, but could you please help me out with this? We are using the mod_auth_radius, the RADIUS authentication module for the Apache webserver version 1.5.2 for apache 1.3 that you have developed. If you need any other info I will try my best to provide it.
I have no idea what the problem is. I've asked for information, and you haven't provided it. I've asked questions that you haven't answered. If the username is garbage, then the ONLY reason that happens is that's what the user typed in. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Hi Alan, Ok maybe it wasn't clear enough. We have a web-application running on Apache/tomcat and the client used for authentication is the mod_auth_radius module. We want to test that there are no problems with users having special characters, hence the garbage like username/password. We have a valid unix user éâäåçêëèïîìÄæôòû with password éâäåçêëèïîìÄæôòû in the Ubuntu Dapper Linux system on which the radius server 1.1.0 has been installed. So when I browse to the web-app, I get uid/pwd challenge, and when I provide the éâäåçêëèïîìÄæôòû/éâäåçêëèïîìÄæôòû as the uid/pwd, I see the following on the radius server which is running in debug mode: rad_recv: Access-Request packet from host 127.0.0.1:33292, id=245, length=98 User-Name = "\303\251\303\242\303\244\303\245\303\247\303\252\303\250\303\257\303\256\303\254\303\204\303\246\303\264\303\262\303\273" User-Password = "\222\023S~\345v\322\250\207\216\261\206\242J\301\301\251\006\233\026N\374\014\213\036c\022'\220\r\370\210" NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "éâäåçêëèïîì@?æôòû", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_unix: [éâäåçêëèïîì@?æôòû]: invalid password modcall[authenticate]: module "unix" returns reject for request 1 modcall: leaving group authenticate (returns reject) for request 1 auth: Failed to validate the user. WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- I have another unix user Vinodh/vinodh in the system, so when I try that, I get this: Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 7 ID 99 with timestamp 44e57654 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.0.203.118:1026, id=97, length=72 User-Name = "Vinodh" User-Password = "vinodh" Service-Type = Authenticate-Only NAS-Identifier = "10.0.203.118" NAS-IP-Address = 10.0.203.118 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_realm: No '@' in User-Name = "Vinodh", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 8 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 8 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 8 modcall: leaving group authorize (returns ok) for request 8 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 modcall[authenticate]: module "unix" returns ok for request 8 modcall: leaving group authenticate (returns ok) for request 8 Sending Access-Accept of id 97 to 10.0.203.118 port 1026 Finished request 8 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 8 ID 97 with timestamp 44e57662 Nothing to do. Sleeping until we see a request. So the unix authentication works fine for ordinary characters. Is there some configuration issue somewhere? Hope this is more clearer. V~ --- Vinodh Velusamy Software Engineer Ubizen - a Cybertrust company Ubicenter, Philipssite 5, 3001 Leuven, Belgium T: +32 16 28 73 14 F: +32 16 28 71 00 E-mail: vinodh.velusamy@ubizen.com www.ubizen.com - www.cybertrust.com -----Original Message----- From: freeradius-users-bounces+vinodh.velusamy=ubizen.com@lists.freeradius.org [mailto:freeradius-users-bounces+vinodh.velusamy=ubizen.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, August 23, 2006 7:27 PM To: FreeRadius users mailing list Subject: Re: RE: RE: Problem with character Ä in username/password "Velusamy, Vinodh" <vinodh.velusamy@ubizen.com> wrote:
Sorry for troubling you, but could you please help me out with this? We are using the mod_auth_radius, the RADIUS authentication module for the Apache webserver version 1.5.2 for apache 1.3 that you have developed. If you need any other info I will try my best to provide it.
I have no idea what the problem is. I've asked for information, and you haven't provided it. I've asked questions that you haven't answered. If the username is garbage, then the ONLY reason that happens is that's what the user typed in. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"Velusamy, Vinodh" <vinodh.velusamy@ubizen.com> wrote:
modcall: entering group authenticate for request 1 rlm_unix: [éâäåçêëèïîì@?æôòû]: invalid password
That would appear to be definitive, wouldn't it? The question marks are only for the log messages. The username and password send to rlm_unix are exactly what the user typed in. It looks like either the user doesn't exist in /etc/passwd, or they typed in the wrong password. Check that. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (2)
-
Alan DeKok -
Velusamy, Vinodh