Problem when trying to store NAS-Port-ID into radpostauth table

Alan DeKok aland at deployingradius.com
Thu Sep 16 22:40:57 CEST 2021


On Sep 16, 2021, at 4:32 PM, Antônio Modesto <modesto at hubsoft.com.br> wrote:
> From our application I don't think that it is possible. Only if the attacker pretended to be a known NAS server. Do you have any other suggestion?

  If you change the list of allowed characters, it is changed for ALL of the attributes.  Not just NAS-Port-Id.  For example, someone could log in with a User-Name which exploits this issue.  They don't even have to have an account, or even the correct password.

  Alan DeKok.




More information about the Freeradius-Users mailing list