Problem with secrets

David Goodenough david.goodenough at linkchoose.co.uk
Wed Jul 19 12:27:22 CEST 2006


I just hit a really odd problem with a secrets.

We were asked to use FreeRadius to provide IP addresses to an Ericsonn
NAS.  We set up the server and have some test clients with simple secrets.
If those are right it works, if they are wrong it fails.

Then we put in the secret for the Ericsonn (I can not put it in this 
note as it is someone else's secret and I do not know what else it might
be the secret for, but privately I could make it available for testing).

This secret is 13 digits long, mixed numbers and letters, looks reasonably
random, and in the proper secret all the letters were upper case.  However
somehow one of the letters (an O) got put into the server in lower case.

The server happily accepts Access-Request packets with an authenticator 
built from the all upper case secret, even though its secret was different,
it was only the client which rejected the Access-Accept.  Diagnosing this
however was very difficult as we had no access to the Ericsonn box and any
console messages it might log (we could only see what went on the wire and
whether the connection succeeded).

A quick look at the code did not find anywhere where the secret gets folded
to all upper case (but I might have missed it) and if there were such folding
it would be unfortunate if this was only done on checking the received packet
not on generating the reply.

I am new to RADIUS, and I could not find any rules about case folding for
secrets, but I might have missed them.

It could simply be one of those freak places where the MD5 checksum happens
to be the same for the request but not the response, but that does not feel
right.

I am using 1.1.1 (I am also using JRadius which last time I looked only 
produced patches for 1.1.1, not 1.1.2).

David



More information about the Freeradius-Users mailing list