Radius authentication using PrivacyIdea plugin - special character limitations for user-password used in radius requests?

We have configured Radius Authentication using Privacyidea for access to firewalls, Netscaler access & Cyberark. We defined “OTPPin=UserStore” to use the Windows Credentials as first factor for all Radius Authentications. We recommend our users to use complex “strong” passwords for their windows account. Strong passwords e. g. contain uppercase, lowercase, minimum number of chars, numbers & special characters. Which special characters shall not be used in passwords because the User’s browser may encode the password wrongly - which may cause invalid password error in Privacyidea- even the user entered the correct one on the browser prompt initiating the radius request? Is there experience around that topic that can be shared with the community? Can the encoding/ decoding be influenced on radius client / server side?

It looks like that some special characters are often problematic for FreeRADIUS.

…depending on the version you are using. See this and that

If you think the problem lies somewhere else, you can

  1. run freeradius in debug and check, if the special char is transferred correctly
  2. turn debug mode on (loglevel 9!) and check in privacyIDEA log, which password arrives at privacyIDEA.