Questions about FreeRadius and unsupported characters for secret...

[Tammy Dore]

Hi,

We have received a number of issues reported by  our customers in regards to the secret authentication does not support certain characters in our software released based on FreeRadius v3.0.19.  As a result of this, we had done some of our own comparison testing of a bunch of different special characters against both the v3.0.19 and the v2.2.9 releases.

We found the following discrepancies, where it appears that there are bugs introduced into v3.0.19.

  1.  We would like to understand what explanation there is for why they are no longer supported or if a bug was introduced, so we can offer an explanation to our customers.
  2.  If there is a work-around, would you kindly let us know?
  3.  Do you know if these issues have been corrected in one of your newer releases?


Secret value
8.4 Results
(3.0.19)
8.3 Results
(2.2.9)
Comments
testing123,
Failed
Passed (no quote)
Supported in 2.2.9.  Not Supported at All in 3.0.19.; not even with correct_escapes = false.

radiusd:121302:1679518016.577067:Wed Mar 22 15:46:56 2023: Wed Mar 22 15:46:56 2023 : Info: Dropping packet without response because of error: Received packet from 10.16.167.194 with invalid Message-Authenticator!  (Shared secret is incorrect.)
testing123;
Failed
Passed (in single or double quotes or with testing123\;)
Supported in 2.2.9.  Not Supported at All in 3.0.19.

radiusd:121302:1679518016.577067:Wed Mar 22 15:46:56 2023: Wed Mar 22 15:46:56 2023 : Info: Dropping packet without response because of error: Received packet from 10.16.167.194 with invalid Message-Authenticator!  (Shared secret is incorrect.)
"testing123\054"
Failed
Passed
Supported in 2.2.9.  Not Supported at All in 3.0.19.

radiusd:151163:1679691163.765497:Fri Mar 24 15:52:43 2023: Fri Mar 24 15:52:43 2023 : Error: /usr/local/forescout/plugin/dot1x/fs_radius/etc/raddb/sites-enabled/default[116]: Invalid regular expression:
radiusd:151163:1679691163.765522:Fri Mar 24 15:52:43 2023: Fri Mar 24 15:52:43 2023 : Error: /usr/local/forescout/plugin/dot1x/fs_radius/etc/raddb/sites-enabled/default[116]: ^(.*)\(.*)
radiusd:151163:1679691163.765546:Fri Mar 24 15:52:43 2023: Fri Mar 24 15:52:43 2023 : Error: /usr/local/forescout/plugin/dot1x/fs_radius/etc/raddb/sites-enabled/default[116]:          ^ Pattern compilation failed: unmatched parentheses
^*B%9vÑStNfx9H
Failed
Passed
Supported in 2.2.9.  Not Supported at All in 3.0.19.

radiusd:151392:1679933409.952848:Mon Mar 27 11:10:09 2023: Mon Mar 27 11:10:08 2023 : Error: /usr/local/forescout/plugin/dot1x/fs_radius/etc/raddb/fs_clients.conf[19]: Syntax error: Expected comma after '^*B%9v': ÑStNfx9H
radiusd:1

Note: The last one seems to be an issue with the accent mark over the N.

Thank you in advance for your help!

Tammy Dore
Sr. Software Engineer
Forescout Technologies, Inc.
Email: tammy.dore at forescout.com<mailto:tammy.dore at forescout.com>
Text: +1-214-403-2010
LinkedIn: https://www.linkedin.com/in/TammyDore/
[cid:image001.png at 01D960F9.56EA0200]

WARNING - CONFIDENTIAL INFORMATION:
________________________________
This message may contain confidential and privileged information. If it has been sent to you in error, please reply to advise the sender of the error and then immediately delete it. If you are not the intended recipient, do not read, copy, disclose or otherwise use this message. The sender disclaims any liability for such unauthorized use. NOTE that all incoming emails sent to Forescout email accounts will be archived and may be scanned by us and/or by external service providers to detect and prevent threats to our systems, investigate illegal or inappropriate behavior, and/or eliminate unsolicited promotional emails ("spam"). If you have any concerns about this process, please contact us privacy at forescout.com.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 4520 bytes
Desc: image001.png
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20230328/a0525b7d/attachment.png>