Hello, don't know if it's a bug or a change (doesn't found anything in the release notes), but if you use commas for the password in e.g. clients.conf, then the password itself gets malformed. ########################################################################### Normal request with password 123 Ready to process requests Threads: total/active/spare threads = 5/0/5 Waking up in 0.3 seconds. Thread 2 got semaphore Thread 2 handling request 0, (1 handled so far) (0) Received Access-Request Id 244 from 172.17.8.10:3072 to 172.17.8.254:1812 length 180 (0) User-Name = "123456-7890ab" (0) User-Password = "123" (0) NAS-Identifier = "wpa" (0) NAS-IP-Address = 172.17.8.10 (0) Called-Station-Id = "12-34-56-78-90-AB:WLAN TEST" (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) NAS-Port = 1 (0) NAS-Port-Id = "1" (0) Calling-Station-Id = "12-34-56-78-90-AB" (0) Connect-Info = "CONNECT 144 Mbps 802.11g/n" (0) # Executing section authorize from file /etc/radiusd-mac/sites-enabled/default (0) authorize { (0) radius-station-mac: EXPAND %{User-Name} (0) radius-station-mac: --> 123456-7890ab Found User-Password == "..." Are you sure you don't mean Cleartext-Password? See "man rlm_pap" for more information (0) [radius-station-mac] = noop (0) if (!ok) { (0) if (!ok) -> TRUE (0) if (!ok) { (0) radius-station-allow-mac: EXPAND %{User-Name} (0) radius-station-allow-mac: -->123456-7890ab (0) radius-station-allow-mac: users: Matched entry 123456-7890ab at line 18 (0) [radius-station-allow-mac] = ok (0) if (!ok) { (0) if (!ok) -> FALSE (0) } # if (!ok) = ok (0) [preprocess] = ok (0) } # authorize = ok (0) Found Auth-Type = Accept (0) Auth-Type = Accept, accepting the user (0) Login OK: [123456-7890ab/123] (from client wpa port 1 cli 12-34-56-78-90-AB) (0) Sent Access-Accept Id 244 from 172.17.8.254:1812 to 172.17.8.10:3072 length 0 (0) Finished request ########################################################################### Malformed request with password 123, Listening on auth address * port 1812 bound to server mac_server Ready to process requests Threads: total/active/spare threads = 5/0/5 Waking up in 0.3 seconds. Thread 2 got semaphore Thread 2 handling request 0, (1 handled so far) (0) Received Access-Request Id 93 from 172.17.8.10:3072 to 172.17.8.254:1812 length 180 (0) User-Name = "123456-7890ab" (0) User-Password = "4\016\236\343\234B\177\230\006VZ\030\027E\301\324" (0) NAS-Identifier = "wpa" (0) NAS-IP-Address = 172.17.8.10 (0) Called-Station-Id = "12-34-56-78-90-AB:WLAN TEST" (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) NAS-Port = 1 (0) NAS-Port-Id = "1" (0) Calling-Station-Id = "12-34-56-78-90-AB" (0) Connect-Info = "CONNECT 144 Mbps 802.11g/n" (0) # Executing section authorize from file /etc/radiusd-mac/sites-enabled/default (0) authorize { (0) radius-station-mac: EXPAND %{User-Name} (0) radius-station-mac: --> 123456-7890ab Found User-Password == "..." Are you sure you don't mean Cleartext-Password? See "man rlm_pap" for more information (0) [radius-station-mac] = noop (0) if (!ok) { (0) if (!ok) -> TRUE (0) if (!ok) { (0) radius-station-allow-mac: EXPAND %{User-Name} (0) radius-station-allow-mac: --> 123456-7890ab (0) radius-station-allow-mac: users: Matched entry 123456-7890ab at line 18 (0) [radius-station-allow-mac] = ok (0) if (!ok) { (0) if (!ok) -> FALSE (0) } # if (!ok) = ok (0) [preprocess] = ok (0) } # authorize = ok (0) Found Auth-Type = Accept (0) Auth-Type = Accept, accepting the user (0) Login OK: [123456-7890ab/4????B???VZ??E??] (from client wpa port 1 cli 12-34-56-78-90-AB) (0) Sent Access-Accept Id 93 from 172.17.8.254:1812 to 172.17.8.10:3072 length 0 (0) Finished request This behavior appeared with 3.0.7. If it is a bug, please fix it. Kind regards. D. Stabla
On 24-07-15 10:39, Stabla, Daniel wrote:
Hello,
don't know if it's a bug or a change (doesn't found anything in the release notes), but if you use commas for the password in e.g. clients.conf, then the password itself gets malformed.
I assume you mean a shared secret here, not a password. The problem here is the config parser, that threats a comma as a split character. If I change the default from "testing123" to "testing123,45", I get the following message: Warning: etc/raddb/clients.conf[100]: The item '45' is defined, but is unused by the configuration And the shared secret "testing123" works just fine. Adding some quotes around the shared secret solves the problem, so IMHO it's not a bug. -- Herwin Weststrate
On 24 Jul 2015, at 05:25, Herwin Weststrate <herwin@quarantainenet.nl> wrote:
On 24-07-15 10:39, Stabla, Daniel wrote:
Hello,
don't know if it's a bug or a change (doesn't found anything in the release notes), but if you use commas for the password in e.g. clients.conf, then the password itself gets malformed.
I assume you mean a shared secret here, not a password. The problem here is the config parser, that threats a comma as a split character. If I change the default from "testing123" to "testing123,45", I get the following message:
Warning: etc/raddb/clients.conf[100]: The item '45' is defined, but is unused by the configuration
And the shared secret "testing123" works just fine.
Adding some quotes around the shared secret solves the problem, so IMHO it's not a bug.
I know the change and the reason for it, and it's not a bug. Wrap the string in quotes. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
participants (3)
-
Arran Cudbard-Bell -
Herwin Weststrate -
Stabla, Daniel