We have a Sonicwall SRA server configured to authenticate users using RADIUS to a Windows NPS Server running on Windows Server 2012 R2.
It all works fine EXCEPT when passwords contain the "£" character.
According to the RADIUS spec on page 24 the password field
contains UTF-8 encoded 10646 characters and String contains 8-bit binary data
I found a website that defines the pound sign as
0xC2 0xA3 (c2a3)
I hacked together a fairly ugly perl script to implement the RADIUS password encryption for short passwords (<= 16 octets) using simple MD5 hashing and XORing (I'm no perl expert so I know its not pretty!)
#! /usr/bin/perl -w
use 5.010;
use Digest::MD5 qw(md5 md5_hex md5_base64);
use MIME::Base64;
use Carp qw/croak/;
use List::Util qw/max/;
$secret = "verysecret";
$authenticator = '5354ff6a10cec708f2da74a8b268b98d';
$pwd = "££££££££";
$pwdhex = $pwd;
# Convert password to a Hex string
$pwdhex =~ s/(.)/sprintf("%02x",ord($1))/eg;
print "Password in HEX = " .$pwdhex . "\n";
print "Password in ASCII " .$pwd . "\n";
# Convert RA from Hex string into bytes
$authenticator =~ s/([a-fA-F0-9][a-fA-F0-9])/chr(hex($1))/eg;
# Concatenante the secret and authenticator then MD5 them
$md5input = $secret . $authenticator;
$md5 = md5($md5input);
$md5hex = $md5;
$md5hex =~ s/(.)/sprintf("%02x",ord($1))/eg;
print "Secret + RA (MD5) " . $md5hex . "\n";
state $encryptedpassword = $md5 ^ $pwd;
$encryptedpassword =~ s/(.)/sprintf("%02x",ord($1))/eg;
print "Computed Encrypted Password = " . $encryptedpassword . "\n";
Using a network trace of the RADIUS traffic I was able to show that the password was being correctly encrypted using c2a3 for each pound sign.
I was going to raise a ticket with Microsoft next as it looks like a problem in their Radius server implementation in NPS but thought I'd post this rather interesting puzzle here first in case anyone had seen anything similar.
