Problem with Cisco WLC probes in FR 2.2.1
Phil Mayers
p.mayers at imperial.ac.uk
Mon Oct 7 10:36:30 CEST 2013
On 10/07/2013 08:40 AM, A.L.M.Buxey at lboro.ac.uk wrote:
> Hi,
>
>>> if (Service-Type == "NAS-Prompt-User") {
>>> if (NAS-IP-Address =~ /^172\.17\.107\./) {
>>> if (User-Name =~ /^wisms\-testing/) {
>>> update control {
>>> Auth-Type := Accept
>>> }
>
> ouch do you realise how dangerous that is? there
> should be no need to send an access accept packet back
> to these probes - a reject should suffice - and that would stop
> an end user subverting your system by simply using
> that UserName (if they are using wpa_supplicant they could
> add that NAS-Prompt-User attribute)
Er... wpa_supplicant speaks EAP, and Service-Type is a RADIUS attribute.
More information about the Freeradius-Users
mailing list