I tried to replace a very old Livingston RADIUS installation by FreeRadius 1.0.1 (using the Solaris pkg from Blastwave). I used the "compat = cistron" directive to simply continue with the existing users file for a first test. At first sight everything worked fine but after following the log for a while it turns out that (too) many users were rejected. All the rejected accounts have a "%" sign in the User-Password. Are there any restrictions on the character set used for the User-Password attribute? Which special chars are forbidden? Where can I find information on that subject? How can I get around this problem? There are a few thousand dialin accounts, out of them about 300 have a "%" in the password so I can't simply call them and solve that directly, not speaking about other chars that might make trouble, too. Thanks for help! nhk
Nils-Henner Krueger <nhk@netuse.de> wrote:
At first sight everything worked fine but after following the log for a while it turns out that (too) many users were rejected.
All the rejected accounts have a "%" sign in the User-Password.
See doc/variables.txt
How can I get around this problem? There are a few thousand dialin accounts, out of them about 300 have a "%" in the password so I can't simply call them and solve that directly, not speaking about other chars that might make trouble, too.
Escape the % via \%. Alan DeKok.
Alan DeKok wrote:
Nils-Henner Krueger <nhk@netuse.de> wrote:
At first sight everything worked fine but after following the log for a while it turns out that (too) many users were rejected.
All the rejected accounts have a "%" sign in the User-Password.
See doc/variables.txt
I don't do freeradius administration on a regular basis, so maybe I miss something obvious, but although I printed out variables.txt and read it several times I still don't get the point.
From variables.txt I understand that variables are referred to by %{name}. But what I think I observe are acocunts like this
testuser@domain.de.td Password = "34fgT%45" which seem to be rejected because of the "%" beeing part of the password value.
How can I get around this problem? There are a few thousand dialin accounts, out of them about 300 have a "%" in the password so I can't simply call them and solve that directly, not speaking about other chars that might make trouble, too.
Escape the % via \%.
Do I get it right, I put "34fgT\%45" instead of "34fgT%45" in the users file? Which other special chars need to be treated this way? Thanks for your help! nils-henner
Nils-Henner Krueger <nhk@netuse.de> wrote:
I miss something obvious, but although I printed out variables.txt and read it several times I still don't get the point.
'%' is a special character.
From variables.txt I understand that variables are referred to by %{name}.
Or, % followed by one character.
Do I get it right, I put "34fgT\%45" instead of "34fgT%45" in the users file?
Yes.
Which other special chars need to be treated this way?
None. Alan DeKok.
Alan DeKok wrote:
I miss something obvious, but although I printed out variables.txt and read it several times I still don't get the point.
'%' is a special character.
From variables.txt I understand that variables are referred to by %{name}.
Or, % followed by one character.
Do I get it right, I put "34fgT\%45" instead of "34fgT%45" in the users file?
Yes.
Which other special chars need to be treated this way?
None.
I'm still struggling on this subject. Now that I have a test system available I made several tests with various radius and dialin client parameters with the following result: As long as a "%" is in the password, CHAP never works, regardless of escaping with "\%" or not, while PAP always works. Am I lost with CHAP and "%" in password or can I do anything else with this problem? nils-henner
Nils-Henner Krueger wrote:
Alan DeKok wrote:
I miss something obvious, but although I printed out variables.txt and read it several times I still don't get the point.
'%' is a special character.
From variables.txt I understand that variables are referred to
by %{name}.
Or, % followed by one character.
Do I get it right, I put "34fgT\%45" instead of "34fgT%45" in the users file?
Yes.
Which other special chars need to be treated this way?
None.
I'm still struggling on this subject.
Now that I have a test system available I made several tests with various radius and dialin client parameters with the following result: As long as a "%" is in the password, CHAP never works, regardless of escaping with "\%" or not, while PAP always works.
Am I lost with CHAP and "%" in password or can I do anything else with this problem?
To add something more: I was able to test the whole thing with freeradius-0.9.3 and it works, that means no problem with "%" in password using CHAP. Something has changed on the way to 1.0.1, and because quoting like Alan suggested doesn't help it might even be a bug? nhk
participants (2)
-
Alan DeKok -
Nils-Henner Krueger