reauth-problem with WPA2-tls
Alan DeKok
aland at deployingradius.com
Sun Jun 6 08:35:36 CEST 2010
Andreas Hartmann wrote:
> See http://bugs.freeradius.org/bugzilla/show_bug.cgi?id=81
Where you file a bug against FreeRADIUS for an OpenSSL issue.
I understand that FreeRADIUS is affected. But...
> It does not work for me. There seem to be problems with the
> session-handling, which should be checked, explained and, if necessary,
> fixed.
FreeRADIUS does not create, update, or maintain the "session_id"
variable. It's created by OpenSSL. If has different values for the
"same" session, then file a bug against OpenSSL.
> Until I don't have a comprehensibly explanation for the reported
> session-ID behavior, the current version (and 2.1.8) of freeradius is
> highly insecure.
I have no idea why you think that's true. Failing to find a previous
session means that the new request will be rejected. There are no
security issues with rejecting users.
The patch you suggested in the bug report *bypasses* this session
checking, and *CREATES A SECURITY PROBLEM*. You should not use it in
any production system.
Alan DeKok.
More information about the Freeradius-Users
mailing list