[RADIATOR] Password Length Limits
Heikki Vatiainen
hvn at open.com.au
Sun Jun 3 14:37:41 CDT 2012
On 06/03/2012 01:16 AM, Adam Bishop wrote:
> What do the log files say? Is an accept/reject packet being sent, or is the request just terminating part way through (or even not reaching the radiusd)?
I would check if the PEAP TLS tunnel setup succeeds and you get
something like this in the logs:
Sun May 6 11:34:33 2012: DEBUG: EAP PEAP inner authentication request
for mikem
Sun May 6 11:34:33 2012: DEBUG: PEAP Tunnelled request Packet dump:
Because if you do not get the above, this might be a fragmentation
issue, as Adam noted.
Also, with PEAP/EAP-MSCHAP-V2 there is no User-Password (or password in
any form), but the authentication is done with challenges and responses.
With this protocol the username length changes the message length, but
the EAP-MSCHAP-V2 messages are shorter than messages that setup the TLS
tunnel.
In other words, if possible, check the logs to see if the TLS tunnel
setup is successful and there are tunnelled messages sent inside the tunnel.
> If you can't pull the logs for any reason, a packet capture will do the same job.
>
> Only thing I can think of that directly relates to any sort of length, is that if you were running close to a fragment size limit, a longer password could trigger an issue.
>
> Start with the log files before tweaking your config though.
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list