Security issue - WiFi authentication logging a fake username
aland at deployingradius.com
Thu May 20 21:00:26 CEST 2021
On May 20, 2021, at 2:33 PM, Roberto Franceschetti <roberto at logsat.com> wrote:
> Now we're blaming Cisco in addition to blaming me. Great.
Yes. I claim the right to have opinions.
Your unstated assumption here is that your opinions matter, and mine don't. You don't think this is a problem. Everyone else does.
>> This is not just a "SHOULD". It's what all sane NAS equipment does, for precisely the situation you're running into.
> You conveniently omitted the 1st two lines of that RFC that say:
> This Attribute indicates the name of the user to be authenticated.
> It MUST be sent in Access-Request packets if available.
> Notice the "MUST". You write RFCs... you know very well that a "SHOULD" is *not* a "MUST". So you can't say:
> This is not just a "SHOULD"
> because it is. It's a SHOULD. It's a recommendation, not a requirement. This is not me telling you, it's the RFC. But sure, keep on blaming Cisco and me instead of saying "well, maybe freeradius should log actual username and certificates used to authenticate afterall".
There's what the RFCs say, and then what's sane. Since you're aware that I write RFCs, you're also aware that I've written RFCs like RFC 5080, which fixes a number of issues in previous RFCs.
The problem here is simple. You're trying to get your opinion across, and you don't really care what anyone else's opinion is. You want to force everyone else to do what you want, and you either don't understand the consequences, or don't care.
The only way you get to dictate what goes into a RADIUS server is if you start your own. And then deal with entitled people like yourself who try to order you around.
> ..and also, if you relaxed a bit without getting upset, you would have read that I reported the issue is not just in the accounting table, but also in the radpostauth and in syslog.
If you stop trying to repeat the same thing over and over, you'd suggest a solution which works everywhere. I explained why this was hard. You've ignored that. Over and over and over again.
This is a side effect of believing that your opinion matters, and that no one else's does.
> In any case, for everyone else who, like the ignorant me, never realized that if you use WiFi to authenticate on a 802.1x network, there's an option to specify an anonymous identity which will make you invisible in the radius logs,
The server does *exactly* what you wanted to do here: have documentation and examples which explain the issue, and allow you to fix it with minimal fuss.
Anyways. Since you're not prepared to understand my reasons, or respect my opinions, I'm declaring this conversation over. Any further discussion on this topic is not appropriate for this list.
More information about the Freeradius-Users