Bug ID 586170: RADIUS Auth Challenge message with Non-ASCII characters in it is rendered to users in hex-encoded form

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6

Fixed In:
13.0.0

Opened: Apr 07, 2016

Severity: 3-Major

Related Article: K23534277

Symptoms

If RADIUS sends a challenge with a non-ASCII characters (e.g., from French/Spanish), the user is presented with a hex string in the challenge. For example, the result for the accented characters 'á, é, í, ó' is the hex-encoded string '0xe12c20e92c20ed2c20f3'.

Impact

End user sees a hex string instead of the challenge response.

Conditions

Using APM with a RADIUS server that sends a challenge response with non-ASCII characters.

Workaround

1. Navigate to Access Policy :: Customization :: Advanced. 2. Locate logon.inc (under Access Policy,Logon Pages, Logon Page in the Form Factor: Full/Mobile Browser frame of the screen. 3. Add code to logon.inc to decode the hex. 4. To do so, follow instructions for either BIG-IP v12.0.0 or for BIG-IP v11.6.0 HF6 to 12.0.0. Search for function OnLoad() in logon.inc. ---In BIG-IP v12.0.0 and later, beginning on line 302 --- 302 function OnLoad() 303 { 304 var header = document.getElementById("credentials_table_header"); 305 var softTokenHeaderStr = getSoftTokenPrompt(); 306 if ( softTokenHeaderStr ) { 307 header.innerHTML = softTokenHeaderStr; 308 } <? // ADD THE FOLLOWING CODE CHANGE INCLUDING THIS LINE if($challenge == 1){?> else if(header.innerHTML.substring(0,2) == "0x"){ var hex = header.innerHTML; var str = ''; var i=0; if (hex.charAt(0) == '0' && hex.charAt(1)== 'x') { i = 2; } var ret; for (; i < hex.length; i += 2) { ret = parseInt(hex.substr(i, 2), 16); if(isNaN(ret)){ break; } else { str += String.fromCharCode(ret); } } if(isNaN(ret)){ ret = hex; } else { ret = str; try{ ret = decodeURIComponent(escape(str)); } catch(e){}; } header.innerHTML =String(ret).replace(/</g, '&lt;').replace(/>/g, '&gt;'); } <?}?> //END CHANGE --- In BIG-IP v11.6.0 HF6 to 12.0.0, beginning on line 260 --- 260 function OnLoad() 261 { 262 var header = document.getElementById("credentials_table_header"); 263 var softTokenHeaderStr = getSoftTokenPrompt(); 264 if ( softTokenFieldId != "" && softTokenHeaderStr && edgeClientSoftTokenSupport()) { 265 header.innerHTML = softTokenHeaderStr; 266 } <? // ADD THE FOLLOWING CODE CHANGE INCLUDING THIS LINE if($challenge == 1){?> else if(header.innerHTML.substring(0,2) == "0x"){ var hex = header.innerHTML; var str = ''; var i=0; if (hex.charAt(0) == '0' && hex.charAt(1)== 'x') { i = 2; } var ret; for (; i < hex.length; i += 2) { ret = parseInt(hex.substr(i, 2), 16); if(isNaN(ret)){ break; } else { str += String.fromCharCode(ret); } } if(isNaN(ret)){ ret = hex; } else { ret = str; try{ ret = decodeURIComponent(escape(str)); } catch(e){}; } header.innerHTML =String(ret).replace(/</g, '&lt;').replace(/>/g, '&gt;'); } <?}?> //END CHANGE

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips