Problem with Cisco WLC probes in FR 2.2.1
Jonathan Gazeley
Jonathan.Gazeley at bristol.ac.uk
Mon Oct 7 10:59:52 CEST 2013
On 07/10/13 08:40, A.L.M.Buxey at lboro.ac.uk wrote:
> Hi,
>
>>> if (Service-Type == "NAS-Prompt-User") {
>>> if (NAS-IP-Address =~ /^172\.17\.107\./) {
>>> if (User-Name =~ /^wisms\-testing/) {
>>> update control {
>>> Auth-Type := Accept
>>> }
> ouch do you realise how dangerous that is? there
> should be no need to send an access accept packet back
> to these probes - a reject should suffice - and that would stop
> an end user subverting your system by simply using
> that UserName (if they are using wpa_supplicant they could
> add that NAS-Prompt-User attribute)
>
> alan
> -
We're finding these nuggets of code as we dig deeper into James's legacy
config. If the Access-Accept response is not required, then presumably I
can ditch that entire code block and let the wisms-testing auth attempt
go through the system as any other user.
Thanks,
Jonathan
More information about the Freeradius-Users
mailing list