8411 questions

9899 answers

15703 comments

14199 members

0 votes
146 views 2 comments
by

Hello,

I'm trying to understand a behaviour I have with a RUT950 but also more globally with Coova and if something can be done on any side to avoid this.
I have a hotspot configured with an external splashpage + an external radius (freeradius 2)

Most of the time everything is working fine and clients are authenticated properly, but from time to time the User-Password sent by the RUT in the radius Access-Request is not decoded properly and I don't understand why exactly :

rad_recv: Access-Request packet from host....
        ChilliSpot-Version = "1.3.0"
        User-Name = "test"
        User-Password = "\242\033\351*\363\371/\341\252\026c\205R\277G\352"
        Service-Type = Login-User

Causing the auth to fail of course :

Info: +group PAP {
Info: [pap] login attempt with password "�?�*��/�?c?R�G�"
Info: [pap] Using clear text password "test"
Info: [pap] Passwords don't match
Info: ++[pap] = reject
Info: +} # group PAP = reject
Info: Failed to authenticate the user.
Auth: Login incorrect (rlm_pap: CLEAR TEXT password check failed): [test/\242\033\351*\363\371/\341\252\026c\205R\277G\352] 
Debug:   WARNING: Unprintable characters in the password.  Double-check the shared secret on the server and the NAS!

I saw this topic but no answers where provided : https://community.teltonika-networks.com/14108/external-radius-pap-password-coding

Is there something that can be done at any level to avoid this untimely behavior ?

Thanks and regards

1 Answer

0 votes
by
Hi,

Could you please download and send me a troubleshoot file after decoding fails? Please do it via private message.

EB.
by

Hi,

As it's not happening every time, the only way I found to reproduce the issue is by changing the challenge parameter in the splash page url, so of course when I'm doing this I'm getting a wrong password.

Do you think the troubleshoot file will help in that case which is not really the same when it happens ? As I didn't understand yet why it's happening.
Would you be able to detail this decoding process before the rut sends the radius access-request. That could help me to better understand the process.

I'm not the dev of our software but our code (which is working most of the time) after the splash page is :

$hexchal = pack ("H32", $challenge);
$newchal = pack ("H*", md5($hexchal . $uamsecret));
$newpwd = pack("a32", $password);
$pappassword = implode ("", unpack("H32", ($newpwd ^ $newchal)));

Then we post the credentials that the RUT will use for the auth with $uamip:$uamport/logon?username=$username&password=$pappassword

Thanks

Fabien.

by
Can't guarantee that troubleshoot file will help to solve this, but I would like to look deeper into the configuration you have for PAP. This way maybe I'll find something that doesn't fit.

EB.