Questions on Free Radius with Shared Secret and special characters

Thu Mar 23 22:18:10 UTC 2023

Hi Alan,

Thank you for replying so quickly to my email.

1.  So, from what I gather, correct me if I am wrong, that the comma and semicolon is no longer supported in the shared secret for Free Radius 3.0.19, is that correct?  Just fyi because you seemed to be in the dark, the error when using shared secret "testing123," with no actual quotes when I run the application on FR 3.1.19:
        radiusd:83578:1679608622.055769:Thu Mar 23 16:57:02 2023: Thu Mar 23 16:57:02 2023 : Info: Dropping packet without response because of error: Received packet from 10.16.xxx.xxx with invalid Message-Authenticator!  (Shared secret is incorrect.)
               (this error is reported multiple times, which I don't think it is descriptive that the problem is due to an unsupported character versus mismatched shared secret)

2.  From what I also gathered from some testing, in release 2.2.9;  the comma works, and the semicolon works with quotes around the shared secret.   Is there a reason why the comma and semi colon no longer work in 3.0.19?
3.  Are there any other characters that have changed behavior in Free Radius for release 3.0.19?
4.  Is there a recommended solution for handling the comma and semicolon in 3.0.19?

-Tammy Dore

-----Original Message-----
From: Alan DeKok <aland at deployingradius.com>
Sent: Thursday, March 23, 2023 12:12 PM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Cc: Tammy Dore <tammy.dore at forescout.com>
Subject: Re: Questions on Free Radius with Shared Secret and special characters

***Caution - This email originated from outside of Forescout. DO NOT click on links or open attachments unless you recognize and/or trust the sender. Contact Information Security with questions or concerns.***

On Mar 23, 2023, at 12:52 PM, Tammy Dore via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> We upgraded from a previous version of Free Radius v3.0.19.  Recently we have had some complains that some special characters which used to work in our previous release, no longer work.  So far I have discovered that these special characters do not work: , ; '

  Hmm... if only there was some way to actually tell what happened when you used special characters.  Perhaps some kind of debug output, or error message.  Oh well, I guess it's a complete mystery,

> So which known special characters are not supported?  Do I need to use an escape sequence in front of the special character to make it work?  I saw a blog that mentioned the correct_escapes setting in radiusd.conf can be used to correct the problem with special characters.  So does setting correct_escapes = false, will that allow a secret with "testing123\," to work?

  The server supports single-quoted strings and double-quoted strings when setting values for "secret".  The normal rules for single / double-quoted strings apply.

  There is no magic.  The ',' and ';' characters are not special.  And when anything goes wrong, it gives a descriptive error message.

  Alan DeKok.

WARNING - CONFIDENTIAL INFORMATION:
________________________________
This message may contain confidential and privileged information. If it has been sent to you in error, please reply to advise the sender of the error and then immediately delete it. If you are not the intended recipient, do not read, copy, disclose or otherwise use this message. The sender disclaims any liability for such unauthorized use. NOTE that all incoming emails sent to Forescout email accounts will be archived and may be scanned by us and/or by external service providers to detect and prevent threats to our systems, investigate illegal or inappropriate behavior, and/or eliminate unsolicited promotional emails (“spam”). If you have any concerns about this process, please contact us privacy at forescout.com.