Project

General

Profile

Bug #10352

RADIUS authentication fails with MSCHAPv1 or MSCHAPv2 when passwords contain international characters

Added by Jim Pingle 5 months ago.

Status:
New
Priority:
Very Low
Assignee:
-
Category:
Authentication
Target version:
Start date:
03/17/2020
Due date:
% Done:

0%

Estimated time:
Affected Version:
Affected Architecture:

Description

RADIUS authentication fails with the authentication server entry set to use MSCHAPv1 or MSCHAPv2 when passwords contain international characters. Authentication with the same password succeeds when set to PAP or MD5-CHAP.

I've tried running through a few different encodings (UTF-8, UTF-16, and the chap module's own unicode conversion function) without success.

It works when using radtest at the CLI regardless of type passed to that program. Packet captures of similar requests don't show significant differences between PHP and radtest.

Could be a limitation of Crypt_CHAP_MSv1 / Crypt_CHAP_MSv2 / Auth_RADIUS_*, but we should at least eliminate possible local code causes first.

Low priority since there are ways to make it work (PAP, MD5-CHAP), and users could choose to use other compatible passwords.

Also available in: Atom PDF