[RADIATOR] EAP authentication using TLSv1.2 with OpenSSL 1.0.1f or 1.0.1g based servers may fail
Hello list members. It has come to our attention that TLS based EAP methods, such as EAP-TLS, EAP-TTLS and PEAP, may fail in some cases. The currently verified failure case is this: - Client wishes to use TLSv1.2 and the server agrees to do so, and - Radiator on the server uses OpenSSL 1.0.1f or 1.0.1g, and - The client supports certain TLS cipher suites. The above was verified with Ubuntu 14.04 as the server and wpa_supplicant with GnuTLS 2.12.23 as the client. When this happens, the server derives incorrect keying material. The keying material is typically used to create the Wi-Fi encryption keys returned with MPPE-Recv-Key and MPPE-Send-Key RADIUS attributes. As the result, the client authenticates normally but is unable to access the network because of the key mismatch between the client and the Wi-Fi access point/controller. For the details, please see this message on the hostapd/wpa_supplicant mailing list: http://lists.infradead.org/pipermail/hostap/2015-December/034297.html By default Radiator 4.14 and later support all TLS versions for TLS based EAP methods. To configure Radiator not to use TLSv1.2, use the EAPTLS_Protocols configuration parameter. For example: to allow TLSv1 and TLS1.1 only: EAPTLS_Protocols TLSv1, TLSv1.1 See section '5.21.33 EAPTLS_Protocols' in the Radiator 4.16 reference manual for more information. We are considering a patch in Radiator that disables TLSv1.2 for EAP if the OpenSSL version is one of the above. Thanks to Nick Lowe for letting us know about this. -- Heikki VatiainenRadiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] OSC Security advisory OSC-SEC-2014-01: Vulnerability in OSC Radiator EAP authentication could allow unauthenticated access
For HTML version, please see: https://www.open.com.au/OSC-SEC-2014-01.html Open System Consultants (OSC) Security Advisory OSC-SEC-2014-01 Vulnerability in OSC Radiator EAP authentication could allow unauthenticated access Published: December 3, 2014 10:00 am UTC | Updated December 4, 2014 8:00 am UTC Summary ++ A bug exists in Radiator Extended Authentication Protocol (EAP) implementation where a malicious client could bypass EAP method restrictions. A vulnerability caused by this bug was discovered in recent Radiator releases and requires urgent attention. This EAP bug together with an EAP method released in Radiator 4.10 create a vulnerability which could allow a malicious EAP client to gain unauthorised access from Radiator. A successful exploitation requires specially crafted EAP client software. The bug and the vulnerability were discovered by OSC's development team. OSC is not aware of public use of this vulnerability. Affected Radiator versions + 1. The vulnerability affects Radiator versions 4.9 + patches, 4.10 and up to 4.13. 2. The EAP bug affects all Radiator versions up to 4.13. Affected Radiator configurations + The EAP bug affects Radiator configurations which authenticate EAP messages. If your Radiator does not receive EAP messages, it is not affected. Radiator installations proxying EAP messages are not affected if they do not also authenticate EAP messages. Recommended action ++ OSC recommends upgrading to Radiator 4.14. If you cannot upgrade at this time, install backport to fix the EAP bug. * Download and upgrade to Radiator 4.14, or * Download Radiator 4.14, unpack the distribution package and install backport from goodies/Radiator-4.14-EAP-backport/ directory. OSC has created backports with release notes for previous Radiator releases * Restart Radiator after the upgrade or backport installation Mitigation of the vulnerability +++ If your Radiator version is vulnerable and you cannot upgrade or apply backports at this time, OSC recommends removing the EAP method released with Radiator 4.10 to remove the known vulnerability * If you run Radiator release 4.9 with patches, 4.10 or later up to 4.13, locate any instances of a file named EAP_16776957_4244372217.pm and remove them. * This file can be safely removed, since it is not needed in production environment * Restart Radiator when you have removed the files. Questions and Answers +++ What might an attacker use this vulnerability to do? An attacker could gain access to an authenticated resource without valid credentials. The authentication method must be based on the EAP protocol. Common examples are Wi-Fi networks with WPA-Enterprise and WPA2-Enterprise authentication. What is required to exploit this vulnerability? The attacker needs to develop a custom EAP supplicant (client software) to send specially crafted EAP messages. What is the difference between the vulnerability and the EAP bug? The EAP method restriction bypass is a bug which may cause further vulnerabilities if left unfixed. OSC strongly recommends upgrading to Radiator 4.14 or installing a backport included in the Radiator 4.14 distribution package to fix the bug. The EAP bug together with the test EAP method introduced in Radiator 4.9 + patches create the vulnerability which could be used to gain unauthorised access. OSC considers this as a vulnerability which requires urgent attention. -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] EAP authentication works first time, but goes into infinite loop on the second auth attempt
Try EAPTLS_SessionResumption 0 and see if it works then. I'm curious what supplicant you're using. -- Andrew Clark On Tue, Nov 16, 2010 at 4:20 PM, Johnson, Neil M neil-john...@uiowa.edu wrote: The first time I start the server I can successfully connect with a client, but if I disconnect the client and attempt to reconnect, authentication seems to go into an infinite loop. Config file and trace 4 log below. -Neil ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] EAP authentication works first time, but goes into infinite loop on the second auth attempt
Andrew, Setting that parameter seems to have fixed the issue, Thanks. I'm using a Windows 7 laptop with the default supplicant. Granted I'm doing a lot of rapid connecting and disconnecting while testing. I don't think an end user would be doing what I'm doing. -Neil -- Neil Johnson Network Engineer Information Technology Services The University of Iowa 319 384-0938 neil-john...@uiowa.edu -Original Message- From: Andrew Clark [mailto:a...@umn.edu] Sent: Wednesday, November 17, 2010 8:25 AM To: Johnson, Neil M Cc: radiator@open.com.au Subject: Re: [RADIATOR] EAP authentication works first time, but goes into infinite loop on the second auth attempt Try EAPTLS_SessionResumption 0 and see if it works then. I'm curious what supplicant you're using. -- Andrew Clark On Tue, Nov 16, 2010 at 4:20 PM, Johnson, Neil M neil- john...@uiowa.edu wrote: The first time I start the server I can successfully connect with a client, but if I disconnect the client and attempt to reconnect, authentication seems to go into an infinite loop. Config file and trace 4 log below. -Neil ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] EAP authentication works first time, but goes into infinite loop on the second auth attempt
Well, I've seen the same thing on Windows boxes with the default supplicant using a Trapeze wireless system. What have you got for access points, etc.? I'm also wondering whether this isn't an OpenSSL issue. -- Andrew CLark On Wed, Nov 17, 2010 at 8:41 AM, Johnson, Neil M neil-john...@uiowa.edu wrote: Andrew, Setting that parameter seems to have fixed the issue, Thanks. I'm using a Windows 7 laptop with the default supplicant. Granted I'm doing a lot of rapid connecting and disconnecting while testing. I don't think an end user would be doing what I'm doing. -Neil -- Neil Johnson Network Engineer Information Technology Services The University of Iowa 319 384-0938 neil-john...@uiowa.edu -Original Message- From: Andrew Clark [mailto:a...@umn.edu] Sent: Wednesday, November 17, 2010 8:25 AM To: Johnson, Neil M Cc: radiator@open.com.au Subject: Re: [RADIATOR] EAP authentication works first time, but goes into infinite loop on the second auth attempt Try EAPTLS_SessionResumption 0 and see if it works then. I'm curious what supplicant you're using. -- Andrew Clark On Tue, Nov 16, 2010 at 4:20 PM, Johnson, Neil M neil- john...@uiowa.edu wrote: The first time I start the server I can successfully connect with a client, but if I disconnect the client and attempt to reconnect, authentication seems to go into an infinite loop. Config file and trace 4 log below. -Neil ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] EAP authentication works first time, but goes into infinite loop on the second auth attempt
We are using Meru. -Neil -- Neil Johnson Network Engineer Information Technology Services The University of Iowa 319 384-0938 neil-john...@uiowa.edu -Original Message- From: Andrew Clark [mailto:a...@umn.edu] Sent: Wednesday, November 17, 2010 8:48 AM To: Johnson, Neil M Cc: radiator@open.com.au Subject: Re: [RADIATOR] EAP authentication works first time, but goes into infinite loop on the second auth attempt Well, I've seen the same thing on Windows boxes with the default supplicant using a Trapeze wireless system. What have you got for access points, etc.? I'm also wondering whether this isn't an OpenSSL issue. -- Andrew CLark On Wed, Nov 17, 2010 at 8:41 AM, Johnson, Neil M neil- john...@uiowa.edu wrote: Andrew, Setting that parameter seems to have fixed the issue, Thanks. I'm using a Windows 7 laptop with the default supplicant. Granted I'm doing a lot of rapid connecting and disconnecting while testing. I don't think an end user would be doing what I'm doing. -Neil -- Neil Johnson Network Engineer Information Technology Services The University of Iowa 319 384-0938 neil-john...@uiowa.edu -Original Message- From: Andrew Clark [mailto:a...@umn.edu] Sent: Wednesday, November 17, 2010 8:25 AM To: Johnson, Neil M Cc: radiator@open.com.au Subject: Re: [RADIATOR] EAP authentication works first time, but goes into infinite loop on the second auth attempt Try EAPTLS_SessionResumption 0 and see if it works then. I'm curious what supplicant you're using. -- Andrew Clark On Tue, Nov 16, 2010 at 4:20 PM, Johnson, Neil M neil- john...@uiowa.edu wrote: The first time I start the server I can successfully connect with a client, but if I disconnect the client and attempt to reconnect, authentication seems to go into an infinite loop. Config file and trace 4 log below. -Neil ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
(RADIATOR) EAP Authentication problem with Win2000
Hello everybody, I am running radiator 3.6 with a quite simple configuration as follows: -- Foreground LogStdout LogDir . DbDir . Secret xxx DupInterval 0 IgnoreAcctSignature /Client AuthBy PLSQL NoDefault DBSource dbi:Oracle:xx. DBUsername DBAuth # Authentication AutoMPPEKeys EAPType MD5-Challenge AuthBlock BEGIN \ NETngRadius.getUserData ('%n',:passwd,:reply_item);\ END; AuthParamDef :passwd, User-Password, check AuthParamDef :reply_item, GENERIC, reply /Auth /Realm I am trying to use IEEE802.1x with win2000. In Win2000 the authentication is set to Protected EAP(PEAP) . After entering the username and password in logon credentials menu, following error message is returned in radiusd: . Tue Sep 9 13:33:20 2003: INFO: EAP Nak desires type 25 Tue Sep 9 13:33:20 2003: INFO: Access rejected for test: Desired EAP type 25 not permitted .. It seems that radiusd does not recognize the desired EAP. Thanks in advance for your help or suggestions. Regards Dordaneh
Re: (RADIATOR) EAP Authentication problem with Win2000
Hello, Your client is trying to start a PEAP authentication, but your Radiator configuration specifies only MD5-Challenge. See the examples in goodies/eap_peap.cfg for PEAP configrations. Cheers. On Tue, 9 Sep 2003 10:31 pm, Arangeh, Dordaneh wrote: Hello everybody, I am running radiator 3.6 with a quite simple configuration as follows: -- Foreground LogStdout LogDir . DbDir . Secret xxx DupInterval 0 IgnoreAcctSignature /Client AuthBy PLSQL NoDefault DBSourcedbi:Oracle:xx. DBUsername DBAuth # Authentication AutoMPPEKeys EAPType MD5-Challenge AuthBlock BEGIN \ NETngRadius.getUserData ('%n',:passwd,:reply_item);\ END; AuthParamDef:passwd,User-Password, check AuthParamDef:reply_item,GENERIC,reply /Auth /Realm I am trying to use IEEE802.1x with win2000. In Win2000 the authentication is set to Protected EAP(PEAP) . After entering the username and password in logon credentials menu, following error message is returned in radiusd: ... Tue Sep 9 13:33:20 2003: INFO: EAP Nak desires type 25 Tue Sep 9 13:33:20 2003: INFO: Access rejected for test: Desired EAP type 25 not permitted ... It seems that radiusd does not recognize the desired EAP. Thanks in advance for your help or suggestions. Regards Dordaneh -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP etc on Unix, Windows, MacOS etc. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) EAP Authentication
Hello Chris - I will need to see a copy of your configuration file (no secrets) together with a trace 4 debug from Radiator showing what is happening. Also note that you should be running Radiator 3.6 plus all the latest patches. Could you also provide more details on what you mean by The Radiator servers are setup to communicate securely.? And what hardware/software platform are you running and what version of Perl, etc.? regards Hugh On Thursday, Aug 28, 2003, at 04:27 Australia/Melbourne, Christian Fredrickson wrote: I have a Radiator server setup to authenticate users via Wireless Access Points. The Radiator servers are setup to communicate securely. I have set my Radiator server to authenticate using the file provided by default. I can authenticate users with the radpwtst provided with the install from the local box, but when trying to authenticate users via the wireless network, I get the following error: Wed Aug 27 12:14:29 2003: DEBUG: Handling with Radius::AuthFILE: Wed Aug 27 12:14:29 2003: DEBUG: Handling with EAP: code 2, 13, 23 Wed Aug 27 12:14:29 2003: DEBUG: Response type 1 Wed Aug 27 12:14:29 2003: INFO: Access rejected for mikem: EAP authentication is not permitted. We will be using the SSLeay module for secure communication. This is a Windows server. I have downloaded the SSLeay.dll and Libeay.dll, but receive errors while testing those. Has anyone built these DLLs and have them working? Thank you, Chris === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) EAP Authentication
I have a Radiator server setup to authenticate users via Wireless Access Points. The Radiator servers are setup to communicate securely. I have set my Radiator server to authenticate using the file provided by default. I can authenticate users with the radpwtst provided with the install from the local box, but when trying to authenticate users via the wireless network, I get the following error: Wed Aug 27 12:14:29 2003: DEBUG: Handling with Radius::AuthFILE: Wed Aug 27 12:14:29 2003: DEBUG: Handling with EAP: code 2, 13, 23 Wed Aug 27 12:14:29 2003: DEBUG: Response type 1 Wed Aug 27 12:14:29 2003: INFO: Access rejected for mikem: EAP authentication is not permitted. We will be using the SSLeay module for secure communication. This is a Windows server. I have downloaded the SSLeay.dll and Libeay.dll, but receive errors while testing those. Has anyone built these DLLs and have them working? Thank you, Chris === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.