FreeRadius unauthorized access
Mike Diggins
mike.diggins at mcmaster.ca
Sat Feb 1 19:28:25 CET 2014
Thanks for the replies everyone. If I understand correctly I likely
don't have a security breach, just a lack of understanding with the
authentication process.
A "normal" authentications look like this:
Jan 31 17:43:08 rad01 radiusd[702]: Login OK: [justme] (from client
wlc-6 port 0 via TLS tunnel)
Jan 31 17:43:08 rad01 radiusd[702]: Login OK: [justme] (from client
wlc-6 port 13 cli xx-xx-xx-xx-xx-xx)
So these odd looking ones are missing the "TLS tunnel" line and
apparently that is the inner tunnel - the one sent to AD for
authentication, correct?
If the outer identity name is not valid then why does FR log "Login OK"
and under what situation would I see one without the other?
Is it possible to set the inner/outer identity to be different just
using a regular client OS?
-Mike
On 1/31/2014 3:19 PM, Lovaas,Steven wrote:
> Mike,
>
> You've snipped single lines from your logs to illustrate, but I suspect that there may be adjacent log entries that tell the story. Looks like you're seeing the outer identity, which is not what FR passes on to AD for authentication.
>
> Steve
>
> -----Original Message-----
> From:freeradius-users-bounces+steven.lovaas=colostate.edu at lists.freeradius.org [mailto:freeradius-users-bounces+steven.lovaas=colostate.edu at lists.freeradius.org] On Behalf Of Mike Diggins
> Sent: Friday, January 31, 2014 12:33 PM
> To: FreeRadius users mailing list
> Subject: FreeRadius unauthorized access
>
> I'm running a FreeRadius server which authenticates to a Microsoft Windows 8 Active Directory via winbind and NTLM_AUTH. The service is used by a Cisco wireless network which uses WPA2 for user authentication (MS PEAP). My software versions are:
>
> Red Hat Enterprise Linux (v. 5 for 64-bit x86_64)
> freeradius2-2.1.12-4.el5_8 (RedHat)
> samba3x-winbind-3.5.10-0.110.el5_8 (RedHat)
>
> It came to my attention recently that some users may be gaining unauthorized access. An account was seen to be granted access (according to the FreeRadius log) even though the account does not exist within the AD, nor is it a local FreeRadius account (not that I can see anyway).
> What I see in my logs is:
>
> Jan 15 12:23:34 xxxxx radiusd[20330]: Login OK: [whoiswho] (from client xxxx port 13 cli xx-xx-xx-xx-xx-xx) Jan 18 08:07:58 xxxxx radiusd[22212]: Login OK: [hi] (from client xxxx port 13 cli xx-xx-xx-xx-xx-xx)
>
> The same accounts also appear on the wireless controller. To the best of my knowledge those accounts do not exist anywhere but somehow they are being authenticated. Blocking the account with an Auth-Type := Reject prevents it from authenticating. I've tested with the same account names using no password and various random passwords but I'm correctly denied access each time. I'm attempting to capture some more extensive logging during one of these logins but until I do, does anyone recognize a scenario where this might happen?
>
> -Mike
>
>
> -
> List info/subscribe/unsubscribe? Seehttp://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? Seehttp://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list