RE: Version 1.1.1 stops responding
Just for some reference (Trying to find commonalities): What OS/Distro are you? I'm Debian testing release How did you Install? (Prebuilt binary / created local package and install / install from source) I created a local Debian package, and installed it. What modules did you enable? PEAP, TTLS, and TLS What is your authentication source? Using ntlm_auth against Active Directory 2003 What is your supplicant? 98% Windows XP built in supplicant. The rest are Linux / Mac clients. I wonder if this has something to do with this bug that got squashed.... 2006.03.20 v1.0.5, and v1.1.0 - A validation issue exists with the EAP-MSCHAPv2 module in all versions from 1.0.0 (where the module first appeared) to 1.1.0. Insufficient input validation was being done in the EAP-MSCHAPv2 state machine. A malicious attacker could manipulate their EAP-MSCHAPv2 client state machine to potentially convince the server to bypass authentication checks. This bypassing could also result in the server crashing. We recommend that administrators upgrade immediately.
-----Original Message----- From: freeradius-users-bounces+mking=bridgew.edu@lists.freeradius.or g [mailto:freeradius-users-bounces+mking=bridgew.edu@lists.freer adius.org] On Behalf Of Stefan Winter Sent: Monday, March 27, 2006 1:49 AM To: FreeRadius users mailing list Subject: Re: Version 1.1.1 stops responding
Mine seg faulted as well.. Here's the last few lines of the freeradius -X -A
modcall: entering group authenticate for request 1002 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11
Interesting. This morning I encountered again that radiusd was claiming to be still listening on its ports, but didn't process anything any more. As other logs showed, someone logged into an Access Point via TTLS at 8:22 and at 8:25 the Nagios Monitoring system marked the RADIUS Server as critical. Scan interval for Nagios is every three minutes. So it could very well be that FreeRADIUS stopped processing packets when it tried to do TTLS. Sounds similar to your case, just that it didn't segfault. Note that we usually use TTLS it several times a day, and FreeRADIUS shows this behaviour only sporadically. I now reverted to 1.1.0 in the hope that it's better there. The way it is now is... disturbing.
Greetings,
Stefan Winter
-- Stefan WINTER
Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung
6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: stefan.winter@restena.lu Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"King, Michael" <MKing@bridgew.edu> wrote:
I wonder if this has something to do with this bug that got squashed....
2006.03.20 v1.0.5, and v1.1.0 - A validation issue exists with the EAP-MSCHAPv2 module
No. EAP-MSCHAP doesn't do TLS, and that code change cannot affect anything but people trying to attack the server. Alan DeKok.
participants (2)
-
Alan DeKok -
King, Michael