Security issue - WiFi authentication logging a fake username

Matthew Newton mcn at freeradius.org
Wed May 19 10:55:29 CEST 2021


On 19/05/2021 03:47, Roberto Franceschetti wrote:
> Imagine if the Windows CTRL-ALT-DEL login screen, in addition to the username/password fields, also had a field for you to enter an "ALIAS". You then login Windows with your username, but what gets logged in the Security event logs and/or Domain Controller was NOT your username, but the bogus name you entered for the Alias. Your login would be untraceable, and some security admins would go ballistic.
> 
> This is exactly what is happening with freeradius. It's a scenario similar to what was reported in http://lists.freeradius.org/pipermail/freeradius-users/2021-March/099613.html, but worse.

Yes, and not even two months ago, in that exact thread, we told you to 
properly configure and test your system before going into production.

I'm not going to waste my time doing the same again.

-- 
Matthew


More information about the Freeradius-Users mailing list