Virtual Secure Web Gateway

 View Only

  • 1.  User passwords with "#" symbol are not sent correctly to RADIUS server

    Posted Apr 17, 2015 09:02 AM

    I've configured SWG for RADIUS authentication (via MS AD and NPS). At first it worked, but after changing my password to a new one I couldn't login to SWG anymore. While researching the problem, I've ended up analyzing RADIUS traffic between SWG and RADIUS server and decrypting passwords sent by SWG. It turned out that the reason was hash symbol ("#") contained in my new password, SWG doesn't handle it correctly. I've done some tests, and here are the results.

    What user enters as password What SWG sents to server
    Single hash: "#" The only correct case: "#"
    Two hashes: "##" Just one hash: "#"
    Hash in the middle: "123#abc"

    Hash itself, and everything after, is stripped:

    "123"
    Password starting from hash: "#123abc"

    Nothing at all - User Password attribute is

    absent from RADIUS Request packet

    (Actually I was using some other values for password, not "123" and "abc", but that shouldn't matter.)

    Looks like dead wrong behavior. SWG version is 5.2.2.118.



  • 2.  RE: User passwords with "#" symbol are not sent correctly to RADIUS server

    Broadcom Employee
    Posted Apr 17, 2015 12:27 PM

    Thank you for letting us know about this! Please open a support case so we can fully investigate this and get input from our development team.



  • 3.  RE: User passwords with "#" symbol are not sent correctly to RADIUS server

    Posted Apr 20, 2015 06:04 AM

    Looks like I don't have a proper support entitlement. Our head office has a license for Symantec Protection Suite, and I'm doing SWG evaluation, but I'm in a branch office. Ok, I will ask head office to register support case.