FreeRadius unauthorized access

Mike Diggins mike.diggins at mcmaster.ca
Fri Jan 31 20:33:10 CET 2014


I'm running a FreeRadius server which authenticates to a Microsoft
Windows 8 Active Directory via winbind and NTLM_AUTH. The service is
used by a Cisco wireless network which uses WPA2 for user authentication
(MS PEAP). My software versions are:

Red Hat Enterprise Linux (v. 5 for 64-bit x86_64)
freeradius2-2.1.12-4.el5_8 (RedHat)
samba3x-winbind-3.5.10-0.110.el5_8 (RedHat)

It came to my attention recently that some users may be gaining
unauthorized access. An account was seen to be granted access (according
to the FreeRadius log) even though the account does not exist within the
AD, nor is it a local FreeRadius account (not that I can see anyway).
What I see in my logs is:

Jan 15 12:23:34 xxxxx radiusd[20330]: Login OK: [whoiswho] (from client
xxxx port 13 cli xx-xx-xx-xx-xx-xx)
Jan 18 08:07:58 xxxxx radiusd[22212]: Login OK: [hi] (from client xxxx
port 13 cli xx-xx-xx-xx-xx-xx)

The same accounts also appear on the wireless controller. To the best of
my knowledge those accounts do not exist anywhere but somehow they are
being authenticated. Blocking the account with an Auth-Type := Reject
prevents it from authenticating. I've tested with the same account names
using no password and various random passwords but I'm correctly denied
access each time. I'm attempting to capture some more extensive logging
during one of these logins but until I do, does anyone recognize a
scenario where this might happen?

-Mike




More information about the Freeradius-Users mailing list