Issues with clients.conf shared secret

Alan DeKok aland at deployingradius.com
Wed Jun 24 20:48:44 CEST 2020


On Jun 24, 2020, at 2:42 PM, Clos, Chris <cclos at ussignal.com> wrote:
> 
> For a quick history, I'm currently migrating an old server running Freeradius 1.0.5 on FreeBSD to a new server running Freeradius 3.0.16 on Ubuntu 18.04 (the one available via apt install).

  Wow, that's old.

> We have thousands of clients configured in the clients.conf file with random passwords.  But I have found that when I use a combination of a comma (,) and greater than (>) or less than signs (<) in a shared secret, I get an error.  I have been able to at least narrow down this combination, but I'm suspecting there are more rules I should be aware of.
> 
> My question is what special characters are not able to be used with freeradius, or is there an escape method that will work in the shared secret field that will make them work?  The less I have to change on end devices the better.   I have tried scouring the documents and mailing list, but have not found anything showing special character rules.

  You can still use the same shared secret.  The issue is that v1 was fairly flexible in what it accepted.  v3 is a lot more strict.

> For a sample of this, here's a clients.conf entry it errors on:
> 
> 
> client 127.0.0.1 {
>        secret          = abc,def<ghi123

  Just use

	secret = 'abc,def<ghi123'

  That way you only have to escape two characters in the secret: ' and \

	secret = 'quote\'and backslash\\end'

  Alan DeKok.




More information about the Freeradius-Users mailing list