Project

General

Profile

Actions

Bug #10352

open

RADIUS authentication fails with MSCHAPv1 or MSCHAPv2 when passwords contain international characters

Added by Jim Pingle over 4 years ago. Updated over 2 years ago.

Status:
New
Priority:
Very Low
Assignee:
-
Category:
Authentication
Target version:
Start date:
03/17/2020
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:

Description

RADIUS authentication fails with the authentication server entry set to use MSCHAPv1 or MSCHAPv2 when passwords contain international characters. Authentication with the same password succeeds when set to PAP or MD5-CHAP.

I've tried running through a few different encodings (UTF-8, UTF-16, and the chap module's own unicode conversion function) without success.

It works when using radtest at the CLI regardless of type passed to that program. Packet captures of similar requests don't show significant differences between PHP and radtest.

Could be a limitation of Crypt_CHAP_MSv1 / Crypt_CHAP_MSv2 / Auth_RADIUS_*, but we should at least eliminate possible local code causes first.

Low priority since there are ways to make it work (PAP, MD5-CHAP), and users could choose to use other compatible passwords.

Actions #1

Updated by Oscar Mrbt about 4 years ago

I tried with PAP and MD5-CHAP on
2.4.3-RELEASE (amd64) memstick serial and
FreeBSD 11.1-RELEASE-p7

but the result once decoded in Wireshark looks like the same UNICODE Byte !

Actions #2

Updated by Jim Pingle about 4 years ago

Use the current release 2.4.5-p1 or a development snapshot (2.5.0). Testing with older/unsupported versions is irrelevant.

Actions #3

Updated by Kris Phillips about 3 years ago

Similar issue with LDAP authentication #12519

Actions #4

Updated by Patrick Vander Linden over 2 years ago

The issue is still present on 22.01-RELEASE
Any foreseen planning to fix this issue ?
Is someone working on it ? maybe me then ;)

Actions

Also available in: Atom PDF