Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Radius authentication passphrase length

    Scheduled Pinned Locked Moved Captive Portal
    45 Posts 4 Posters 20.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      billm
      last edited by

      @buraglio:

      No real debug info from the Encrypt() function.  I can dig a little deeper.  I can also give you access to the box if you'd like.

      It'd be helpful to be able to point at a radius server with an account that has a 17 (or larger) character password.  I've got no way of testing that I'm following the RFC correctly - 16 and under still work with the new code I assume?

      –Bill

      pfSense core developer
      blog - http://www.ucsecurity.com/
      twitter - billmarquette

      1 Reply Last reply Reply Quote 0
      • B
        buraglio
        last edited by

        It authenticates with the new code with a RADIUS box with >=16 passwords but the redirection after fails with some php errors.  I assume that is a cosmetic fix and not critical.  I can work on getting a radius box up probably tomorrow if that'd be helpful.

        https://www.forwardingplane.net/

        1 Reply Last reply Reply Quote 0
        • B
          billm
          last edited by

          @buraglio:

          It authenticates with the new code with a RADIUS box with >=16 passwords but the redirection after fails with some php errors.  I assume that is a cosmetic fix and not critical.  I can work on getting a radius box up probably tomorrow if that'd be helpful.

          So it now authenticates accounts with > 16 char passwords?  And authenticates accounts with < 16 char passwords?  Only a PHP error to cleanup?  Good news.  Maybe the PHP error is coming from the $debug define.

          –Bill

          pfSense core developer
          blog - http://www.ucsecurity.com/
          twitter - billmarquette

          1 Reply Last reply Reply Quote 0
          • B
            buraglio
            last edited by

            @billm:

            @buraglio:

            It authenticates with the new code with a RADIUS box with >=16 passwords but the redirection after fails with some php errors.  I assume that is a cosmetic fix and not critical.  I can work on getting a radius box up probably tomorrow if that'd be helpful.

            So it now authenticates accounts with > 16 char passwords?  And authenticates accounts with < 16 char passwords?  Only a PHP error to cleanup?  Good news.  Maybe the PHP error is coming from the $debug define.

            –Bill

            Actually it only authenticates 16 char or below passwords.  I mistyped.  Sorry.

            https://www.forwardingplane.net/

            1 Reply Last reply Reply Quote 0
            • B
              buraglio
              last edited by

              Has anyone else noticed this behavior?  Would it be beneficial for me to set up a RADIUS box and give you access to test against?

              https://www.forwardingplane.net/

              1 Reply Last reply Reply Quote 0
              • S
                sullrich
                last edited by

                @buraglio:

                Has anyone else noticed this behavior?  Would it be beneficial for me to set up a RADIUS box and give you access to test against?

                Yes, please do.  Bill does not have access to a tesitng environment for this.

                1 Reply Last reply Reply Quote 0
                • B
                  billm
                  last edited by

                  @buraglio:

                  Has anyone else noticed this behavior?  Would it be beneficial for me to set up a RADIUS box and give you access to test against?

                  If you can provide me a radius target I can test this myself.

                  –Bill

                  pfSense core developer
                  blog - http://www.ucsecurity.com/
                  twitter - billmarquette

                  1 Reply Last reply Reply Quote 0
                  • B
                    buraglio
                    last edited by

                    I'll work on this this afternoon and post when it's done.

                    https://www.forwardingplane.net/

                    1 Reply Last reply Reply Quote 0
                    • B
                      buraglio
                      last edited by

                      @buraglio:

                      I'll work on this this afternoon and post when it's done.

                      I have this up, I'm still verifying correct functionality.  How would you like to go about testing?

                      https://www.forwardingplane.net/

                      1 Reply Last reply Reply Quote 0
                      • B
                        buraglio
                        last edited by

                        ok, I have this working whenever you'd like to start working on it.

                        https://www.forwardingplane.net/

                        1 Reply Last reply Reply Quote 0
                        • B
                          billm
                          last edited by

                          @buraglio:

                          ok, I have this working whenever you'd like to start working on it.

                          Can you PM me an IP to test against along with two usernames, one with a 15 char password, one with a 20 char password.  I can provide a static IP if needed that I'll be testing from.

                          –Bill

                          pfSense core developer
                          blog - http://www.ucsecurity.com/
                          twitter - billmarquette

                          1 Reply Last reply Reply Quote 0
                          • B
                            buraglio
                            last edited by

                            Sent.

                            https://www.forwardingplane.net/

                            1 Reply Last reply Reply Quote 0
                            • B
                              billm
                              last edited by

                              OK, fixed.  Thanks!

                              Grab http://www.pfsense.org/~billm/radius_authentication.inc.txt until this is commited.

                              –Bill

                              pfSense core developer
                              blog - http://www.ucsecurity.com/
                              twitter - billmarquette

                              1 Reply Last reply Reply Quote 0
                              • B
                                billm
                                last edited by

                                @billm:

                                OK, fixed.  Thanks!

                                Grab http://www.pfsense.org/~billm/radius_authentication.inc.txt until this is commited.

                                –Bill

                                I also verified that the code in HEAD works, it's only RELENG_1 that's affected by this.

                                –Bill

                                pfSense core developer
                                blog - http://www.ucsecurity.com/
                                twitter - billmarquette

                                1 Reply Last reply Reply Quote 0
                                • B
                                  buraglio
                                  last edited by

                                  This works like a dream now, even in my wacky kerberos backended setup. 
                                  Thanks for all the hard work, it is appreciated.

                                  nb

                                  https://www.forwardingplane.net/

                                  1 Reply Last reply Reply Quote 0
                                  • S
                                    sullrich
                                    last edited by

                                    So what exactly should I MFC?

                                    1 Reply Last reply Reply Quote 0
                                    • B
                                      billm
                                      last edited by

                                      @sullrich:

                                      So what exactly should I MFC?

                                      This:
                                      http://www.pfsense.org/~billm/radius_authentication.inc.diff.txt

                                      –Bill

                                      pfSense core developer
                                      blog - http://www.ucsecurity.com/
                                      twitter - billmarquette

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        sullrich
                                        last edited by

                                        Commited!

                                        1 Reply Last reply Reply Quote 0
                                        • H
                                          hoba
                                          last edited by

                                          Send it over to the m0ther too  ;D

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.