ExtremeWireless - shared secret with § doesn't work

  • 1
  • 1
  • Problem
  • Updated 2 years ago
  • Solved
I've upgraded a customers controller a while ago from 09.21.04.0007 to 09.21.11.0004 and after that 802.1X auth wasn't working.
We've loaded the rescue image as there was not enough time to troubleshoot the issue.

Last week we've tried again this time we went to v10.11 and had the same issue.
After some troublshooting I've changed the shared secret to 12345678 just to make sure that there was no issue with the very strong key that we've used and it was working.

Today I was able to find the "problem" character - if § is used it doesn't work.

I assume it's a supported character as the controller doesn't show any error message if I save the key.

Customer used Windows NPS and I've used my NAC to test it so it looks like a problem on the controller.

-Ron
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 47,558 Points 20k badge 2x thumb

Posted 2 years ago

  • 1
  • 1
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,960 Points 10k badge 2x thumb
Hi Ron,

that character is not part of 7 bit ASCII, thus it is encoded differently into byte values based on the character encoding used.

On my Unicode enabled system using the en_US.UTF-8 locale, § is implemented as Unicode character U+00A7, encoded as the single byte 0xA7 in ISO-8859-1 (latin1) encoding, the two bytes 0xC2 and 0xA7 in UTF-8 encoding and the four bytes 0xFE, 0xFF, 0x00, and 0xA7 in UTF-16 encoding.

The RADIUS shared secret is based on byte values, which could differ if different encodings are used on NAS and NAC.

To avoid such problems, I would suggest restricting passwords to use 7 bit ASCII characters only.

Erik
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 47,558 Points 20k badge 2x thumb
MMMmhhhh, that doesn't work with my strong key generation process = banging my head 10 times on the keyboard :-)
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,960 Points 10k badge 2x thumb
You should use a US keyboard, that does not provide non-ASCII characters accessible via head banging. ;-)
Photo of Ty Kolff

Ty Kolff

  • 1,098 Points 1k badge 2x thumb
That is really good information to know.  Thanks for sharing Ron!