I've configured SWG for RADIUS authentication (via MS AD and NPS). At first it worked, but after changing my password to a new one I couldn't login to SWG anymore. While researching the problem, I've ended up analyzing RADIUS traffic between SWG and RADIUS server and decrypting passwords sent by SWG. It turned out that the reason was hash symbol ("#") contained in my new password, SWG doesn't handle it correctly. I've done some tests, and here are the results.
| What user enters as password | What SWG sents to server |
|---|---|
| Single hash: "#" | The only correct case: "#" |
| Two hashes: "##" | Just one hash: "#" |
| Hash in the middle: "123#abc" | Hash itself, and everything after, is stripped: "123" |
| Password starting from hash: "#123abc" | Nothing at all - User Password attribute is absent from RADIUS Request packet |
(Actually I was using some other values for password, not "123" and "abc", but that shouldn't matter.)
Looks like dead wrong behavior. SWG version is 5.2.2.118.