Radius authentication passphrase length

billm · May 18, 2006, 5:29 PM

Any debug from the Encrypt() function? I tested it with 15-17 character passwords and it seemed to do the right thing there. I don't have a way to test against RADIUS, but the function looks good now :-/

–Bill

buraglio · May 18, 2006, 7:08 PM

No real debug info from the Encrypt() function. I can dig a little deeper. I can also give you access to the box if you'd like.

buraglio · May 18, 2006, 8:04 PM

So it does allow for shorter paswords but generates some errors:


radius-port: 1812
radius-host: 10.10.102.2
username: blahblah

key: TestRadiusKey
password: testpasswd
username is blahblah with len 8 encryptedpassword is šJ»[à6%¤2ÍÇƒhÄ with len 10 nasHostname is portal-a.lab.local with len 18 
writing 95 bytes

Warning: Cannot modify header information - headers already sent by (output started at /usr/local/captiveportal/radius_authentication.inc:48) in /usr/local/captiveportal/index.php on line 335 
radius-port: 1813
radius-host: 10.10.2.25
username: blahblah

username is blahblah with len 8 nasHostname is portal-a.lab.local with len 18 
writing 113 bytes
[/code]

The errors on the RADIUS server for a >16 char passphrase are as i'd expect for an incorrect passphrase.

billm · May 18, 2006, 8:38 PM

@buraglio:

No real debug info from the Encrypt() function. I can dig a little deeper. I can also give you access to the box if you'd like.

It'd be helpful to be able to point at a radius server with an account that has a 17 (or larger) character password. I've got no way of testing that I'm following the RFC correctly - 16 and under still work with the new code I assume?

–Bill

buraglio · May 18, 2006, 9:01 PM

It authenticates with the new code with a RADIUS box with >=16 passwords but the redirection after fails with some php errors. I assume that is a cosmetic fix and not critical. I can work on getting a radius box up probably tomorrow if that'd be helpful.

billm · May 18, 2006, 9:48 PM

@buraglio:

It authenticates with the new code with a RADIUS box with >=16 passwords but the redirection after fails with some php errors. I assume that is a cosmetic fix and not critical. I can work on getting a radius box up probably tomorrow if that'd be helpful.

So it now authenticates accounts with > 16 char passwords? And authenticates accounts with < 16 char passwords? Only a PHP error to cleanup? Good news. Maybe the PHP error is coming from the $debug define.

–Bill

buraglio · May 19, 2006, 3:52 PM

@billm:

@buraglio:

It authenticates with the new code with a RADIUS box with >=16 passwords but the redirection after fails with some php errors. I assume that is a cosmetic fix and not critical. I can work on getting a radius box up probably tomorrow if that'd be helpful.

So it now authenticates accounts with > 16 char passwords? And authenticates accounts with < 16 char passwords? Only a PHP error to cleanup? Good news. Maybe the PHP error is coming from the $debug define.

–Bill

Actually it only authenticates 16 char or below passwords. I mistyped. Sorry.

buraglio · May 22, 2006, 7:36 PM

Has anyone else noticed this behavior? Would it be beneficial for me to set up a RADIUS box and give you access to test against?

sullrich · May 22, 2006, 7:39 PM

@buraglio:

Has anyone else noticed this behavior? Would it be beneficial for me to set up a RADIUS box and give you access to test against?

Yes, please do. Bill does not have access to a tesitng environment for this.

billm · May 22, 2006, 7:40 PM

@buraglio:

Has anyone else noticed this behavior? Would it be beneficial for me to set up a RADIUS box and give you access to test against?

If you can provide me a radius target I can test this myself.

–Bill

buraglio · May 22, 2006, 7:44 PM

I'll work on this this afternoon and post when it's done.

buraglio · May 23, 2006, 6:53 PM

@buraglio:

I'll work on this this afternoon and post when it's done.

I have this up, I'm still verifying correct functionality. How would you like to go about testing?

buraglio · May 23, 2006, 7:23 PM

ok, I have this working whenever you'd like to start working on it.

billm · May 23, 2006, 9:13 PM

@buraglio:

ok, I have this working whenever you'd like to start working on it.

Can you PM me an IP to test against along with two usernames, one with a 15 char password, one with a 20 char password. I can provide a static IP if needed that I'll be testing from.

–Bill

buraglio · May 23, 2006, 9:40 PM

Sent.

billm · May 24, 2006, 4:15 AM

OK, fixed. Thanks!

Grab http://www.pfsense.org/~billm/radius_authentication.inc.txt until this is commited.

–Bill

billm · May 24, 2006, 5:33 AM

@billm:

OK, fixed. Thanks!

Grab http://www.pfsense.org/~billm/radius_authentication.inc.txt until this is commited.

–Bill

I also verified that the code in HEAD works, it's only RELENG_1 that's affected by this.

–Bill

buraglio · May 24, 2006, 4:39 PM

This works like a dream now, even in my wacky kerberos backended setup.
Thanks for all the hard work, it is appreciated.

nb

sullrich · May 24, 2006, 4:44 PM

So what exactly should I MFC?

billm · May 24, 2006, 5:50 PM

@sullrich:

So what exactly should I MFC?

This:
http://www.pfsense.org/~billm/radius_authentication.inc.diff.txt

–Bill