Issues with clients.conf shared secret

classic Classic list List threaded Threaded
3 messages Options
| Threaded
Open this post in threaded view
|

Issues with clients.conf shared secret

Clos, Chris
For a quick history, I'm currently migrating an old server running Freeradius 1.0.5 on FreeBSD to a new server running Freeradius 3.0.16 on Ubuntu 18.04 (the one available via apt install).

We have thousands of clients configured in the clients.conf file with random passwords.  But I have found that when I use a combination of a comma (,) and greater than (>) or less than signs (<) in a shared secret, I get an error.  I have been able to at least narrow down this combination, but I'm suspecting there are more rules I should be aware of.

My question is what special characters are not able to be used with freeradius, or is there an escape method that will work in the shared secret field that will make them work?  The less I have to change on end devices the better.   I have tried scouring the documents and mailing list, but have not found anything showing special character rules.

For a sample of this, here's a clients.conf entry it errors on:


client 127.0.0.1 {
        secret          = abc,def<ghi123
        shortname       = test_sharedsecret
}


Running freeradius -CX, I get:
FreeRADIUS Version 3.0.16
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/3.0/dictionary
including configuration file /etc/freeradius/3.0/radiusd.conf
including configuration file /etc/freeradius/3.0/proxy.conf
including configuration file /etc/freeradius/3.0/clients.conf
/etc/freeradius/3.0/clients.conf[2]: Parse error after "def": unexpected token "<"


Thank you!
Chris
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Issues with clients.conf shared secret

Alan DeKok-2
On Jun 24, 2020, at 2:42 PM, Clos, Chris <[hidden email]> wrote:
>
> For a quick history, I'm currently migrating an old server running Freeradius 1.0.5 on FreeBSD to a new server running Freeradius 3.0.16 on Ubuntu 18.04 (the one available via apt install).

  Wow, that's old.

> We have thousands of clients configured in the clients.conf file with random passwords.  But I have found that when I use a combination of a comma (,) and greater than (>) or less than signs (<) in a shared secret, I get an error.  I have been able to at least narrow down this combination, but I'm suspecting there are more rules I should be aware of.
>
> My question is what special characters are not able to be used with freeradius, or is there an escape method that will work in the shared secret field that will make them work?  The less I have to change on end devices the better.   I have tried scouring the documents and mailing list, but have not found anything showing special character rules.

  You can still use the same shared secret.  The issue is that v1 was fairly flexible in what it accepted.  v3 is a lot more strict.

> For a sample of this, here's a clients.conf entry it errors on:
>
>
> client 127.0.0.1 {
>        secret          = abc,def<ghi123

  Just use

        secret = 'abc,def<ghi123'

  That way you only have to escape two characters in the secret: ' and \

        secret = 'quote\'and backslash\\end'

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Issues with clients.conf shared secret

Clos, Chris
In reply to this post by Clos, Chris
Yes!  Super old version!  But going to be super happy to be updated!!!  

Thanks for the feedback and help so quickly!  Its very much appreciated!

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html