[RADIATOR] Password with local characters fails
Heikki Vatiainen
hvn at open.com.au
Mon May 21 04:17:21 CDT 2012
On 05/21/2012 10:47 AM, Patrik Forsberg wrote:
> I have a minor issue with our current setup where it seems like local characters aren't working for some reason ?
> If a person have a password like "hello" it works but "hallå" won't work .. from debugging it looks like the character get stripped from the password request.. but I'm NOT sure if it is equipment related or Radiator that strips it ?
>
> My question is if there are anything in Radiator that could strips the local characters from the password field prior to adding it up for authentication ? My guess is no and that this is actually an equipment issue :)
Radiator does not strip anything, but with non-ascii characters there's
the question of which locale (UTF8, ISO-8859-1, ISO-8859-15, etc.) is in
use and, as a result, how the non-ascii characters get encoded.
I tried hallå (hall + http://en.wikipedia.org/wiki/%C3%85) as password
with both TACACS+ and plain RADIUS. The test was done with radpwtst and
goodies/tacacsplustest. The system uses UTF8 locale, so my å gets sent
as hex characters c3 a5 (decimal 195 and 165). This was on Radiator 4.9
and Ubuntu 12.04.
Trace 4 from radiusd, after modifying it to show the received password,
gives this for TACACS+ (hallå in UTF8 as the User-Password in the users
file):
Mon May 21 12:10:24 2012: DEBUG: New TacacsplusConnection created for
127.0.0.1:52192
Mon May 21 12:10:24 2012: DEBUG: TacacsplusConnection request 193, 1, 1,
0, 1234, 30
Mon May 21 12:10:24 2012: DEBUG: TacacsplusConnection Authentication
START 1, 2, 0 for hvn, 123, testclient
Mon May 21 12:10:24 2012: DEBUG: TACACSPLUS derived Radius request
packet dump:
Code: Access-Request
Identifier: UNDEF
Authentic: <234>(<217><159>0&<146>d{<6><221>{<182><29>'<185>
Attributes:
NAS-IP-Address = 127.0.0.1
NAS-Port-Id = "123"
Calling-Station-Id = "testclient"
NAS-Identifier = "TACACS"
cisco-avpair = "action=1"
cisco-avpair = "authen_type=2"
cisco-avpair = "priv-lvl=0"
cisco-avpair = "service=0"
User-Name = "hvn"
User-Password = **obscured**
User-Password = hall<195><165>
OSC-Version-Identifier = "193"
Mon May 21 12:10:24 2012: DEBUG: Handling request with Handler
'Realm=DEFAULT', Identifier ''
Mon May 21 12:10:24 2012: DEBUG: Deleting session for hvn, 127.0.0.1,
Mon May 21 12:10:24 2012: DEBUG: Handling with Radius::AuthFILE:
Mon May 21 12:10:24 2012: DEBUG: Reading users file ./users
Mon May 21 12:10:24 2012: DEBUG: Radius::AuthFILE looks for match with
hvn [hvn]
Mon May 21 12:10:24 2012: DEBUG: Radius::AuthFILE ACCEPT: : hvn [hvn]
Mon May 21 12:10:24 2012: DEBUG: AuthBy FILE result: ACCEPT,
Mon May 21 12:10:24 2012: DEBUG: Access accepted for hvn
Mon May 21 12:10:24 2012: DEBUG: Packet dump:
*** Reply to TACACSPLUS request:
Code: Access-Accept
Identifier: UNDEF
Authentic: <234>(<217><159>0&<146>d{<6><221>{<182><29>'<185>
Attributes:
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list