Radius authentication passphrase length
-
So it does allow for shorter paswords but generates some errors:
radius-port: 1812 radius-host: 10.10.102.2 username: blahblah key: TestRadiusKey password: testpasswd username is blahblah with len 8 encryptedpassword is šJ»[à6%¤2ÍǃhÄ with len 10 nasHostname is portal-a.lab.local with len 18 writing 95 bytes Warning: Cannot modify header information - headers already sent by (output started at /usr/local/captiveportal/radius_authentication.inc:48) in /usr/local/captiveportal/index.php on line 335 radius-port: 1813 radius-host: 10.10.2.25 username: blahblah username is blahblah with len 8 nasHostname is portal-a.lab.local with len 18 writing 113 bytes [/code] The errors on the RADIUS server for a >16 char passphrase are as i'd expect for an incorrect passphrase. -
No real debug info from the Encrypt() function. I can dig a little deeper. I can also give you access to the box if you'd like.
It'd be helpful to be able to point at a radius server with an account that has a 17 (or larger) character password. I've got no way of testing that I'm following the RFC correctly - 16 and under still work with the new code I assume?
–Bill
-
It authenticates with the new code with a RADIUS box with >=16 passwords but the redirection after fails with some php errors. I assume that is a cosmetic fix and not critical. I can work on getting a radius box up probably tomorrow if that'd be helpful.
-
It authenticates with the new code with a RADIUS box with >=16 passwords but the redirection after fails with some php errors. I assume that is a cosmetic fix and not critical. I can work on getting a radius box up probably tomorrow if that'd be helpful.
So it now authenticates accounts with > 16 char passwords? And authenticates accounts with < 16 char passwords? Only a PHP error to cleanup? Good news. Maybe the PHP error is coming from the $debug define.
–Bill
-
It authenticates with the new code with a RADIUS box with >=16 passwords but the redirection after fails with some php errors. I assume that is a cosmetic fix and not critical. I can work on getting a radius box up probably tomorrow if that'd be helpful.
So it now authenticates accounts with > 16 char passwords? And authenticates accounts with < 16 char passwords? Only a PHP error to cleanup? Good news. Maybe the PHP error is coming from the $debug define.
–Bill
Actually it only authenticates 16 char or below passwords. I mistyped. Sorry.
-
Has anyone else noticed this behavior? Would it be beneficial for me to set up a RADIUS box and give you access to test against?
-
Has anyone else noticed this behavior? Would it be beneficial for me to set up a RADIUS box and give you access to test against?
Yes, please do. Bill does not have access to a tesitng environment for this.
-
Has anyone else noticed this behavior? Would it be beneficial for me to set up a RADIUS box and give you access to test against?
If you can provide me a radius target I can test this myself.
–Bill
-
I'll work on this this afternoon and post when it's done.
-
I'll work on this this afternoon and post when it's done.
I have this up, I'm still verifying correct functionality. How would you like to go about testing?
-
ok, I have this working whenever you'd like to start working on it.
-
ok, I have this working whenever you'd like to start working on it.
Can you PM me an IP to test against along with two usernames, one with a 15 char password, one with a 20 char password. I can provide a static IP if needed that I'll be testing from.
–Bill
-
Sent.
-
OK, fixed. Thanks!
Grab http://www.pfsense.org/~billm/radius_authentication.inc.txt until this is commited.
–Bill
-
OK, fixed. Thanks!
Grab http://www.pfsense.org/~billm/radius_authentication.inc.txt until this is commited.
–Bill
I also verified that the code in HEAD works, it's only RELENG_1 that's affected by this.
–Bill
-
This works like a dream now, even in my wacky kerberos backended setup.
Thanks for all the hard work, it is appreciated.nb
-
So what exactly should I MFC?
-
So what exactly should I MFC?
This:
http://www.pfsense.org/~billm/radius_authentication.inc.diff.txt–Bill
-
Commited!
-
Send it over to the m0ther too ;D