WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

Hotspot with external radius (PAP) : User-Password not sent properly by the RUT

0 votes
468 views 2 comments
by anonymous

Hello,

I'm trying to understand a behaviour I have with a RUT950 but also more globally with Coova and if something can be done on any side to avoid this.
I have a hotspot configured with an external splashpage + an external radius (freeradius 2)

Most of the time everything is working fine and clients are authenticated properly, but from time to time the User-Password sent by the RUT in the radius Access-Request is not decoded properly and I don't understand why exactly :

rad_recv: Access-Request packet from host....
        ChilliSpot-Version = "1.3.0"
        User-Name = "test"
        User-Password = "\242\033\351*\363\371/\341\252\026c\205R\277G\352"
        Service-Type = Login-User

Causing the auth to fail of course :

Info: +group PAP {
Info: [pap] login attempt with password "�?�*��/�?c?R�G�"
Info: [pap] Using clear text password "test"
Info: [pap] Passwords don't match
Info: ++[pap] = reject
Info: +} # group PAP = reject
Info: Failed to authenticate the user.
Auth: Login incorrect (rlm_pap: CLEAR TEXT password check failed): [test/\242\033\351*\363\371/\341\252\026c\205R\277G\352] 
Debug:   WARNING: Unprintable characters in the password.  Double-check the shared secret on the server and the NAS!

I saw this topic but no answers where provided : https://community.teltonika-networks.com/14108/external-radius-pap-password-coding

Is there something that can be done at any level to avoid this untimely behavior ?

Thanks and regards

1 Answer

0 votes
by anonymous
Hi,

Could you please download and send me a troubleshoot file after decoding fails? Please do it via private message.

EB.
by anonymous

Hi,

As it's not happening every time, the only way I found to reproduce the issue is by changing the challenge parameter in the splash page url, so of course when I'm doing this I'm getting a wrong password.

Do you think the troubleshoot file will help in that case which is not really the same when it happens ? As I didn't understand yet why it's happening.
Would you be able to detail this decoding process before the rut sends the radius access-request. That could help me to better understand the process.

I'm not the dev of our software but our code (which is working most of the time) after the splash page is :

$hexchal = pack ("H32", $challenge);
$newchal = pack ("H*", md5($hexchal . $uamsecret));
$newpwd = pack("a32", $password);
$pappassword = implode ("", unpack("H32", ($newpwd ^ $newchal)));

Then we post the credentials that the RUT will use for the auth with $uamip:$uamport/logon?username=$username&password=$pappassword

Thanks

Fabien.

by anonymous
Can't guarantee that troubleshoot file will help to solve this, but I would like to look deeper into the configuration you have for PAP. This way maybe I'll find something that doesn't fit.

EB.