Conditional EAP Type Acceptance
mike at dibella.net
Tue Nov 26 19:58:33 CET 2019
The vulnerability I'm trying to control is the gap where unmanaged devices are converted to managed devices between guest account password rotations.
The supplicants on these devices have already made the guest account credentials part of the saved preferred network information. MDM cannot erase that, only the user can "forget" the network on the device itself. When these devices enroll in MDM, they will receive the certificate for EAP-TLS, but the device can continue to use the saved guest credentials until the password is rotated, subverting the compliance check.
Rejecting PEAP authentication when the device is found in the managed device directory will encourage users of these devices to "forget" the network and use the certificate instead.
> So I would need to break the LDAP check into two parts. First, if an object exists where the MAC attribute matches the request Calling-Station-Id , authenticate by EAP-TLS. If authenticated, accept the request if the compliance attribute is zero.
> If the MAC address is not found, authenticate using PEAP.
Except you don't control which authentication method is used. The supplicant (client side) chooses that.
Further, if you don't issue client certificates for guests, then they can't choose EAP-TLS.
And, if you don't issue passwords for normal users, they can't choose PEAP. Well, they can, but they can't authenticate because they don't have a password.
So what you really need to do is for EAP-TLS, check that the MAC attribute matches the Calling-Station-Id. And that's about it. Which is what you already have.
More information about the Freeradius-Users