Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Radius authentication passphrase length

    Scheduled Pinned Locked Moved Captive Portal
    45 Posts 4 Posters 20.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      buraglio
      last edited by

      OK, I got it all cleaned up and patched it.  It is yielding the same error from the debug info.  From the debug output it looks liek it's grabbing 16 characters.

      "username is blahblah with len 8 encryptedpassword is …........with len 16 ........"

      https://www.forwardingplane.net/

      1 Reply Last reply Reply Quote 0
      • B
        billm
        last edited by

        Any debug from the Encrypt() function?  I tested it with 15-17 character passwords and it seemed to do the right thing there.  I don't have a way to test against RADIUS, but the function looks good now :-/

        –Bill

        pfSense core developer
        blog - http://www.ucsecurity.com/
        twitter - billmarquette

        1 Reply Last reply Reply Quote 0
        • B
          buraglio
          last edited by

          No real debug info from the Encrypt() function.  I can dig a little deeper.  I can also give you access to the box if you'd like.

          https://www.forwardingplane.net/

          1 Reply Last reply Reply Quote 0
          • B
            buraglio
            last edited by

            So it does allow for shorter paswords but generates some errors:

            
            radius-port: 1812
            radius-host: 10.10.102.2
            username: blahblah
            
            key: TestRadiusKey
            password: testpasswd
            username is blahblah with len 8 encryptedpassword is šJ»[à6%¤2ÍǃhÄ with len 10 nasHostname is portal-a.lab.local with len 18 
            writing 95 bytes
            
            Warning: Cannot modify header information - headers already sent by (output started at /usr/local/captiveportal/radius_authentication.inc:48) in /usr/local/captiveportal/index.php on line 335 
            radius-port: 1813
            radius-host: 10.10.2.25
            username: blahblah
            
            username is blahblah with len 8 nasHostname is portal-a.lab.local with len 18 
            writing 113 bytes
            [/code]
            
            The errors on the RADIUS server for a >16 char passphrase are as i'd expect for an incorrect passphrase.  
            
            

            https://www.forwardingplane.net/

            1 Reply Last reply Reply Quote 0
            • B
              billm
              last edited by

              @buraglio:

              No real debug info from the Encrypt() function.  I can dig a little deeper.  I can also give you access to the box if you'd like.

              It'd be helpful to be able to point at a radius server with an account that has a 17 (or larger) character password.  I've got no way of testing that I'm following the RFC correctly - 16 and under still work with the new code I assume?

              –Bill

              pfSense core developer
              blog - http://www.ucsecurity.com/
              twitter - billmarquette

              1 Reply Last reply Reply Quote 0
              • B
                buraglio
                last edited by

                It authenticates with the new code with a RADIUS box with >=16 passwords but the redirection after fails with some php errors.  I assume that is a cosmetic fix and not critical.  I can work on getting a radius box up probably tomorrow if that'd be helpful.

                https://www.forwardingplane.net/

                1 Reply Last reply Reply Quote 0
                • B
                  billm
                  last edited by

                  @buraglio:

                  It authenticates with the new code with a RADIUS box with >=16 passwords but the redirection after fails with some php errors.  I assume that is a cosmetic fix and not critical.  I can work on getting a radius box up probably tomorrow if that'd be helpful.

                  So it now authenticates accounts with > 16 char passwords?  And authenticates accounts with < 16 char passwords?  Only a PHP error to cleanup?  Good news.  Maybe the PHP error is coming from the $debug define.

                  –Bill

                  pfSense core developer
                  blog - http://www.ucsecurity.com/
                  twitter - billmarquette

                  1 Reply Last reply Reply Quote 0
                  • B
                    buraglio
                    last edited by

                    @billm:

                    @buraglio:

                    It authenticates with the new code with a RADIUS box with >=16 passwords but the redirection after fails with some php errors.  I assume that is a cosmetic fix and not critical.  I can work on getting a radius box up probably tomorrow if that'd be helpful.

                    So it now authenticates accounts with > 16 char passwords?  And authenticates accounts with < 16 char passwords?  Only a PHP error to cleanup?  Good news.  Maybe the PHP error is coming from the $debug define.

                    –Bill

                    Actually it only authenticates 16 char or below passwords.  I mistyped.  Sorry.

                    https://www.forwardingplane.net/

                    1 Reply Last reply Reply Quote 0
                    • B
                      buraglio
                      last edited by

                      Has anyone else noticed this behavior?  Would it be beneficial for me to set up a RADIUS box and give you access to test against?

                      https://www.forwardingplane.net/

                      1 Reply Last reply Reply Quote 0
                      • S
                        sullrich
                        last edited by

                        @buraglio:

                        Has anyone else noticed this behavior?  Would it be beneficial for me to set up a RADIUS box and give you access to test against?

                        Yes, please do.  Bill does not have access to a tesitng environment for this.

                        1 Reply Last reply Reply Quote 0
                        • B
                          billm
                          last edited by

                          @buraglio:

                          Has anyone else noticed this behavior?  Would it be beneficial for me to set up a RADIUS box and give you access to test against?

                          If you can provide me a radius target I can test this myself.

                          –Bill

                          pfSense core developer
                          blog - http://www.ucsecurity.com/
                          twitter - billmarquette

                          1 Reply Last reply Reply Quote 0
                          • B
                            buraglio
                            last edited by

                            I'll work on this this afternoon and post when it's done.

                            https://www.forwardingplane.net/

                            1 Reply Last reply Reply Quote 0
                            • B
                              buraglio
                              last edited by

                              @buraglio:

                              I'll work on this this afternoon and post when it's done.

                              I have this up, I'm still verifying correct functionality.  How would you like to go about testing?

                              https://www.forwardingplane.net/

                              1 Reply Last reply Reply Quote 0
                              • B
                                buraglio
                                last edited by

                                ok, I have this working whenever you'd like to start working on it.

                                https://www.forwardingplane.net/

                                1 Reply Last reply Reply Quote 0
                                • B
                                  billm
                                  last edited by

                                  @buraglio:

                                  ok, I have this working whenever you'd like to start working on it.

                                  Can you PM me an IP to test against along with two usernames, one with a 15 char password, one with a 20 char password.  I can provide a static IP if needed that I'll be testing from.

                                  –Bill

                                  pfSense core developer
                                  blog - http://www.ucsecurity.com/
                                  twitter - billmarquette

                                  1 Reply Last reply Reply Quote 0
                                  • B
                                    buraglio
                                    last edited by

                                    Sent.

                                    https://www.forwardingplane.net/

                                    1 Reply Last reply Reply Quote 0
                                    • B
                                      billm
                                      last edited by

                                      OK, fixed.  Thanks!

                                      Grab http://www.pfsense.org/~billm/radius_authentication.inc.txt until this is commited.

                                      –Bill

                                      pfSense core developer
                                      blog - http://www.ucsecurity.com/
                                      twitter - billmarquette

                                      1 Reply Last reply Reply Quote 0
                                      • B
                                        billm
                                        last edited by

                                        @billm:

                                        OK, fixed.  Thanks!

                                        Grab http://www.pfsense.org/~billm/radius_authentication.inc.txt until this is commited.

                                        –Bill

                                        I also verified that the code in HEAD works, it's only RELENG_1 that's affected by this.

                                        –Bill

                                        pfSense core developer
                                        blog - http://www.ucsecurity.com/
                                        twitter - billmarquette

                                        1 Reply Last reply Reply Quote 0
                                        • B
                                          buraglio
                                          last edited by

                                          This works like a dream now, even in my wacky kerberos backended setup. 
                                          Thanks for all the hard work, it is appreciated.

                                          nb

                                          https://www.forwardingplane.net/

                                          1 Reply Last reply Reply Quote 0
                                          • S
                                            sullrich
                                            last edited by

                                            So what exactly should I MFC?

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.