Topic: Special Character Passwords

Hi All,

So I'm working with DD-WRT (similar to openWRT for those not familiar), and I have everything working EXCEPT! the hotspot won't recognize special characters in passwords.  The password I use has a * in it and the freeradius error log replaces it with a _.  does anyone have a way around this?  I'm working with the provided hotspotlogin.cgi script, but for some reason its giving this problem.  Any help is much appreciated.  Providing the log info below:

rad_recv: Access-Request packet from host 192.168.1.6 port 2062, id=0, length=198
    User-Name = "lucas"
    User-Password = "***********"   -  This has been masked but the * in the password was replaced by _ in the log
    NAS-IP-Address = 0.0.0.0
    Service-Type = Login-User
    Framed-IP-Address = 192.168.182.7
    Calling-Station-Id = "F8-A9-D0-0C-34-F7"
    Called-Station-Id = "00-26-18-93-2B-80"
    NAS-Identifier = "wi-fi-2"
    Acct-Session-Id = "53da7f1200000001"
    NAS-Port-Type = Wireless-802.11
    NAS-Port = 1
    Message-Authenticator = 0xf93c4e509c2ca6d7879024d42f08bc04
    WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff"
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[preprocess] returns ok
[auth_log]     expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.1.6/auth-detail-20140731
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.1.6/auth-detail-20140731
[auth_log]     expand: %t -> Thu Jul 31 11:42:12 2014
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "lucas", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "lucas", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
++[unix] returns updated
[sql]     expand: %{Stripped-User-Name} -> 
[sql]     ... expanding second conditional
[sql]     expand: %{User-Name} -> lucas
[sql]     expand: %{%{User-Name}:-DEFAULT} -> lucas
[sql]     expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> lucas
[sql] sql_set_user escaped user --> 'lucas'
rlm_sql (sql): Reserving sql socket id: 4
[sql]     expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'lucas'           ORDER BY id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'lucas'           ORDER BY id
[sql] User found in radcheck table
[sql]     expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'lucas'           ORDER BY id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'lucas'           ORDER BY id
[sql]     expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'lucas'           ORDER BY priority
rlm_sql_mysql: query:  SELECT groupname           FROM radusergroup           WHERE username = 'lucas'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
[etc_passwd] Added Crypt-Password: 'x' to config_items 
++[etc_passwd] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "********" - Password masked * was replaced by _
[pap] Using CRYPT password "$6$GEl/c1mT$JJ2bafZWOc3rNQddm59K1qMHq0K3uymNfS7RgRtRY2wr4xJ25jeHjs4OOAvIqMhX9AsDaGYPLthxtgW6cFXsz0"
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 0 to 192.168.1.6 port 2062
Waking up in 4.9 seconds.
Cleaning up request 0 ID 0 with timestamp +134
Ready to process requests.

Re: Special Character Passwords

Hello All,

I have realized where the breakdown is.  Please see the line of code that was modified:

Modified:

$OK_CHARS='-a-zA-Z0-9_.@&=%!*'; $| = 1; if ($ENV{'CONTENT_LENGTH'}) {
    read (STDIN, $_, $ENV{'CONTENT_LENGTH'});

Original:

$OK_CHARS='-a-zA-Z0-9_.@&=%!'; $| = 1; if ($ENV{'CONTENT_LENGTH'}) {
    read (STDIN, $_, $ENV{'CONTENT_LENGTH'});

The * was missing from the noted "OK_CHARS" set of acceptable characters.  I have added it in, and it works just fine