Security issue - WiFi authentication logging a fake username

Roberto Franceschetti roberto at logsat.com
Thu May 20 20:33:29 CEST 2021 

> 
>> Setting "use_tunneled_reply = yes" in the peap section of the eap.conf helps a bit as the user name is now the correct one in the Access-Accept, but in the syslog and in the database the account being logged is still the anonymous one.
> 
>  Then your NAS is broken.

Now we're blaming Cisco in addition to blaming me. Great.


>  https://datatracker.ietf.org/doc/html/rfc2865#section-5.1
> 
>      It MAY be sent in an Access-Accept packet, in which case the
>      client SHOULD use the name returned in the Access-Accept packet in
>      all Accounting-Request packets for this session.  If the Access-
>      Accept includes Service-Type = Rlogin and the User-Name attribute,
>      a NAS MAY use the returned User-Name when performing the Rlogin
>      function.
> 
>  This is not just a "SHOULD".  It's what all sane NAS equipment does, for precisely the situation you're running into.

You conveniently omitted the 1st two lines of that RFC that say:
      This Attribute indicates the name of the user to be authenticated.
      It MUST be sent in Access-Request packets if available.

Notice the "MUST". You write RFCs... you know very well that a "SHOULD" is *not* a "MUST". So you can't say:
	  This is not just a "SHOULD"

because it is. It's a SHOULD. It's a recommendation, not a requirement. This is not me telling you, it's the RFC. But sure, keep on blaming Cisco and me instead of saying "well, maybe freeradius should log actual username and certificates used to authenticate afterall".

..and also, if you relaxed a bit without getting upset, you would have read that I reported the issue is not just in the accounting table, but also in the radpostauth and in syslog.


In any case, for everyone else who, like the ignorant me, never realized that if you use WiFi to authenticate on a 802.1x network, there's an option to specify an anonymous identity which will make you invisible in the radius logs, it seems as if we're stuck having to use "use_tunneled_reply = yes" in the eap.conf. With that option, we can add this to the post-auth in the inner-tunnel:

	update reply {
		Inner-Tunnel-User-Name := "%{request:User-Name}"
	}

With that, then in the dialup.conf and in the linelog modules we'll have access to  %{reply:Inner-Tunnel-User-Name} value pair which we can use to log the inner username along with the outer one as it should have been done to begin with by freeradius.

Roberto

More information about the Freeradius-Users mailing list