Problem with Cisco WLC probes in FR 2.2.1

Scott Armitage S.P.Armitage at lboro.ac.uk
Mon Oct 7 11:06:47 CEST 2013


On 7 Oct 2013, at 09:59, Jonathan Gazeley <Jonathan.Gazeley at bristol.ac.uk> wrote:

> On 07/10/13 08:40, A.L.M.Buxey at lboro.ac.uk wrote:
>> Hi,
>> 
>>>> if (Service-Type == "NAS-Prompt-User") {
>>>>  if (NAS-IP-Address =~ /^172\.17\.107\./) {
>>>>   if (User-Name =~ /^wisms\-testing/) {
>>>>    update control {
>>>>         Auth-Type := Accept
>>>>    }
>> ouch do you realise how dangerous that is?  there
>> should be no need to send an access accept packet back
>> to these probes - a reject should suffice - and that would stop
>> an end user subverting your system by simply using
>> that UserName (if they are using wpa_supplicant they could
>> add that NAS-Prompt-User attribute)
>> 
>> alan
>> -
> 
> We're finding these nuggets of code as we dig deeper into James's legacy config. If the Access-Accept response is not required, then presumably I can ditch that entire code block and let the wisms-testing auth attempt go through the system as any other user.


Yes, or immediately reject that user in the authorise section.  Rejecting immediately just makes things more efficient, particularly if the wism is doing a check because it has marked the server as dead.  

Test it, see what happens.

Regards

Scott
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 204 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20131007/2638ebb5/attachment.pgp>


More information about the Freeradius-Users mailing list