Radius client special chars
-
I believe I have hit an issue where I have configured a RADIUS "Authentication server" following the docs https://docs.netgate.com/pfsense/en/latest/recipes/radius-windows.html
The issue I'm having is it authenticates properly if my password doesn't contain special characters and fails if it does. Is this a known issue with the pfsense RADIUS Client ?
I have seen mention that this issue exists in FreeRADIUS https://forum.netgate.com/topic/140046/authentication-password-with-special-character-gets-rejected/8 but not sure if this is talking about the same thing ?
-
The linked thread is about a slightly different issue.
What you are hitting is probably this:
https://redmine.pfsense.org/issues/10352
It's worth testing a dev snapshot if you can (Plus 23.01 or CE 2.7.0), there were some changes made to the underlying RADIUS library, though I don't recall any specifically relevant to this, it's possible it made a difference.
-
@jimp thanks for the response. Cant get it working in the latest 2.7 snapshot or using PAP,MD5-CHAP or MS_CHAPv1
The reason I'm trying to configure Radius as i believe you need it for EAP-RADIUS authentication method in IPSEC. Is it possible to use LDAP Authentication instead of this as it works perfectly for that.
-
That does require RADIUS, it can't work with LDAP.
-
@jimp So had a look into this a bit and I believe this is probably NPS expecting passwords to be ucs2 rather than the utf8 that gets sent.
Think its this project https://github.com/pear/Crypt_CHAP that the authentication test uses behind the scenes that has a bug in str2unicode. similar issue here https://github.com/dapphp/radius/issues/5
Changed the str2unicode function on the pfsense 2.7 dev version I was using for testing and now a user with the password: Password!"£$%^&* works as expected when it didn't before.
function str2unicode($str) { $uni = ''; $str = (string) $str; for ($i = 0; $i < mb_strlen($str); $i++) { $a = mb_ord(mb_substr($str,$i,1)) << 8; if ( $a > 65536){ echo "NPS does not support non BMP codepoints\n"; return; } $uni .= sprintf("%X", $a); } return pack('H*', $uni); }I'm no unicode expert or PHP but as UCS2 is only 16 bit it can't support any code points over 65536 so added a check to fail if it finds this. So no emojis or no 4 byte Chinese codepoints.
This might still work fine in strongswan as read they added a fix for this so might just have been the authentication tab that was not working correctly. Will register for the bugtracker in the morning and update that bug.
