Discussion:
Freeradius as a proxy to Windows IAS - reserved characters in shared secret?
clive gould
2007-08-01 08:10:41 UTC
Permalink
Hi

Thanks once again for all the advice :-)

Does anyone know if there some characters that are reserved i.e cannot
be used in secret keys with a freeradius server. If so what are they?

I've been experimenting with the radtest client and the freeradius
server using local unix validation with interesting results.

1) If I use a secret key (16+ characters and the same key in both the
radtest client and freeradius clients.conf) that contains pure alpha
characters the key is accepted and authorisation is successful.

2) If I use a secret key (similar to the one set on the IAS server)
containing characters such as $\[ then the key is rejected and
authorisation is unsuccessful. I have tried enclosing the key in
single and double quotes, but the key is still rejected.

Hopefully getting nearer to a solution...

Thanks very much

Clive
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
clive gould
2007-08-01 08:26:42 UTC
Permalink
Hi

I've just been doing some research on the net and found this link on
the GNU radius client reference page:

http://www.gnu.org/software/radius/manual/html_chapter/radius_13.html#SEC262

It looks as if the radtest client has reserved characters.

Does anyone know if this applies to shared secrets with the Freeradius
server as well???

Thanks

Clive
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan DeKok
2007-08-01 13:51:38 UTC
Permalink
Post by clive gould
I've just been doing some research on the net and found this link on
http://www.gnu.org/software/radius/manual/html_chapter/radius_13.html#SEC262
It looks as if the radtest client has reserved characters.
The characters are *escaped*, not *reserved*.
Post by clive gould
Does anyone know if this applies to shared secrets with the Freeradius
server as well???
The shared secrets in FreeRADIUS have *no* reserved characters. They
*can* be double-quoted strings, with all of the usual conditions for
escaping characters.

This is less of a FreeRADIUS-specific issue than a standard Unix way
of doing things.

Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Claudiu Filip
2007-08-01 10:26:35 UTC
Permalink
Hi clive,
Post by clive gould
2) If I use a secret key (similar to the one set on the IAS server)
containing characters such as $\[ then the key is rejected and
Character "Escape from Alcatraz", a classic movie with Clint Eastwood..
Be careful with character escaping and bash cli (always use single
quotes to pass to radtest what you want).
Also avoid ${foo} as a secret

client 127.0.0.1 { secret = "\044{prefix}" }
radtest gigi kent 127.0.0.1 1 '/radiusd' => OK!! ($prefix = /radiusd)

client 127.0.0.1 { secret = "\\testing123" }
radtest gigi kent 127.0.0.1 1 '\testing123' => OK
radtest gigi kent 127.0.0.1 1 "\testing123" => OK (because bash does not expand \t)
radtest gigi kent 127.0.0.1 1 "\\testing123" => OK (because bash expands \\t to \t)
radtest gigi kent 127.0.0.1 1 '\\testing123' => NOT ok

client 127.0.0.1 { secret = "$\[" }
radtest gigi kent 127.0.0.1 1 '$[' => OK

client 127.0.0.1 { secret = "$\\[" }
radtest gigi kent 127.0.0.1 1 '$\[' => OK

Have fun!


Best regards,

Claudiu Filip
@: ***@globtel.ro
Http://www.globtel.ro
T:+40344880100
F:+40344880113


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Loading...