FreeRadius unauthorized access

Arran Cudbard-Bell a.cudbardb at freeradius.org
Fri Jan 31 22:44:29 CET 2014


On 31 Jan 2014, at 20:26, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:

> 
> On 31 Jan 2014, at 19:33, Mike Diggins <mike.diggins at mcmaster.ca> wrote:
> 
>> I'm running a FreeRadius server which authenticates to a Microsoft
>> Windows 8 Active Directory via winbind and NTLM_AUTH. The service is
>> used by a Cisco wireless network which uses WPA2 for user authentication
>> (MS PEAP). My software versions are:
>> 
>> Red Hat Enterprise Linux (v. 5 for 64-bit x86_64)
>> freeradius2-2.1.12-4.el5_8 (RedHat)
>> samba3x-winbind-3.5.10-0.110.el5_8 (RedHat)
>> 
>> It came to my attention recently that some users may be gaining
>> unauthorized access. An account was seen to be granted access (according
>> to the FreeRadius log) even though the account does not exist within the
>> AD, nor is it a local FreeRadius account (not that I can see anyway).
>> What I see in my logs is:
>> 
>> Jan 15 12:23:34 xxxxx radiusd[20330]: Login OK: [whoiswho] (from client
>> xxxx port 13 cli xx-xx-xx-xx-xx-xx)
>> Jan 18 08:07:58 xxxxx radiusd[22212]: Login OK: [hi] (from client xxxx
>> port 13 cli xx-xx-xx-xx-xx-xx)
>> 
>> The same accounts also appear on the wireless controller. To the best of
>> my knowledge those accounts do not exist anywhere but somehow they are
>> being authenticated.
> 
> Yes, you're not enforcing outer/inner identity consistency.
> 
> The Access Point and Outer server only know about the User-Name provided
> in the EAP-Identity-Response, whereas you're authenticating on the
> identity sent through the EAP-Tunnel.
> 

a check like

if (User-Name != outer.User-Name) {
	reject
}

> In the inner tunnel server would prevent this from occurring.
> 
> Without that check a user could set the outer identity to anything,
> so long as the inner identity was valid.
> 
> This can be particularly nasty, say, if you're doing dynamic VLAN
> assignment in the outer server, as a user can spoof the name of
> an administrative user, and get assigned to a VLAN they shouldn't.
> 

But the best way it probably just to override the outer id with the
inner one and sent the inner id in the Access-Accept, unless it's 
going out over eduroam.

IIRC there are weird encoding issues with the MSCHAPv2 identity which
can make it very hard, to automcatically determine whether all the IDs 
tie up.

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140131/8f5af54c/attachment.pgp>


More information about the Freeradius-Users mailing list