extra characters in User-Password line

Wed Aug 14 13:52:54 CEST 2019

On Aug 14, 2019, at 7:45 AM, Лев Валуев <2309005m03 at gmail.com> wrote:
> 
> After moved from freeradius v2 to freeradius v3 we have noticed some
> strange issue - radius service receives extra characters from nas
> client. For example, I am trying to authenticate on 10.56.36.33 host
> as user 'user' with password 'Password', but according to radius log
> it receives 'Password\000]\n'. Could you help me to find what is
> wrong?

  The NAS should encode the User-Password correctly.  This one doesn't.

  See the "filter_password" policy in more recent versions of the server:

#
#	Filter the User-Password
#
#  Some equipment sends passwords with embedded zeros.
#  This policy filters them out.
#
filter_password {
	if (&User-Password && \
	   (&User-Password != "%{string:User-Password}")) {
		update request {
			&Tmp-String-0 := "%{string:User-Password}"
			&User-Password := "%{string:Tmp-String-0}"
		}
	 }
}

  This may be in raddb/policy.d/filter already.  If not, add it there.

  Then, find the "filter_username" reference in sites-enabled/default.  And add "filter_password" after it.

  Alan DeKok.