[RADIATOR] EAP authentication using TLSv1.2 with OpenSSL 1.0.1f or 1.0.1g based servers may fail

2015-12-17 Thread Heikki Vatiainen 
Hello list members. It has come to our attention that TLS based EAP 
methods, such as EAP-TLS, EAP-TTLS and PEAP, may fail in some cases.

The currently verified failure case is this:
- Client wishes to use TLSv1.2 and the server agrees to do so, and
- Radiator on the server uses OpenSSL 1.0.1f or 1.0.1g, and
- The client supports certain TLS cipher suites.

The above was verified with Ubuntu 14.04 as the server and 
wpa_supplicant with GnuTLS 2.12.23 as the client.

When this happens, the server derives incorrect keying material. The 
keying material is typically used to create the Wi-Fi encryption keys 
returned with MPPE-Recv-Key and MPPE-Send-Key RADIUS attributes. As the 
result, the client authenticates normally but is unable to access the 
network because of the key mismatch between the client and the Wi-Fi 
access point/controller.

For the details, please see this message on the hostapd/wpa_supplicant 
mailing list:

http://lists.infradead.org/pipermail/hostap/2015-December/034297.html

By default Radiator 4.14 and later support all TLS versions for TLS 
based EAP methods. To configure Radiator not to use TLSv1.2, use the 
EAPTLS_Protocols configuration parameter. For example: to allow TLSv1 
and TLS1.1 only:

EAPTLS_Protocols TLSv1, TLSv1.1

See section '5.21.33 EAPTLS_Protocols' in the Radiator 4.16 reference 
manual for more information.

We are considering a patch in Radiator that disables TLSv1.2 for EAP if 
the OpenSSL version is one of the above.

Thanks to Nick Lowe for letting us know about this.

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, 
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] OSC Security advisory OSC-SEC-2014-01: Vulnerability in OSC Radiator EAP authentication could allow unauthenticated access

2014-12-04 Thread Heikki Vatiainen 
For HTML version, please see:
https://www.open.com.au/OSC-SEC-2014-01.html

Open System Consultants (OSC)
Security Advisory OSC-SEC-2014-01
Vulnerability in OSC Radiator EAP authentication could allow 
unauthenticated access

Published: December 3, 2014 10:00 am UTC | Updated December 4, 2014 8:00 
am UTC

Summary
++
A bug exists in Radiator Extended Authentication Protocol (EAP)
implementation where a malicious client could bypass EAP method
restrictions. A vulnerability caused by this bug was discovered in
recent Radiator releases and requires urgent attention.

This EAP bug together with an EAP method released in Radiator 4.10
create a vulnerability which could allow a malicious EAP client to
gain unauthorised access from Radiator. A successful exploitation
requires specially crafted EAP client software.

The bug and the vulnerability were discovered by OSC's development
team. OSC is not aware of public use of this vulnerability.


Affected Radiator versions
+
1. The vulnerability affects Radiator versions 4.9 + patches, 4.10 and 
up to 4.13.
2. The EAP bug affects all Radiator versions up to 4.13.


Affected Radiator configurations
+
The EAP bug affects Radiator configurations which authenticate EAP
messages. If your Radiator does not receive EAP messages, it is not
affected.

Radiator installations proxying EAP messages are not affected if they
do not also authenticate EAP messages.


Recommended action
++
OSC recommends upgrading to Radiator 4.14. If you cannot upgrade at
this time, install backport to fix the EAP bug.


* Download and upgrade to Radiator 4.14, or
* Download Radiator 4.14, unpack the distribution package and install 
backport from goodies/Radiator-4.14-EAP-backport/ directory. OSC has 
created backports with release notes for previous Radiator releases
* Restart Radiator after the upgrade or backport installation


Mitigation of the vulnerability
+++
If your Radiator version is vulnerable and you cannot upgrade or apply
backports at this time, OSC recommends removing the EAP method
released with Radiator 4.10 to remove the known vulnerability

* If you run Radiator release 4.9 with patches, 4.10 or later up to 
4.13, locate any instances of a file named EAP_16776957_4244372217.pm 
and remove them.
* This file can be safely removed, since it is not needed in production 
environment
* Restart Radiator when you have removed the files.


Questions and Answers
+++
What might an attacker use this vulnerability to do?
An attacker could gain access to an authenticated resource without
valid credentials. The authentication method must be based on the EAP
protocol. Common examples are Wi-Fi networks with WPA-Enterprise and
WPA2-Enterprise authentication.


What is required to exploit this vulnerability?
The attacker needs to develop a custom EAP supplicant (client
software) to send specially crafted EAP messages.


What is the difference between the vulnerability and the EAP bug?
The EAP method restriction bypass is a bug which may cause further
vulnerabilities if left unfixed. OSC strongly recommends upgrading to
Radiator 4.14 or installing a backport included in the Radiator 4.14
distribution package to fix the bug.

The EAP bug together with the test EAP method introduced in Radiator
4.9 + patches create the vulnerability which could be used to gain
unauthorised access. OSC considers this as a vulnerability which
requires urgent attention.


-- 
Heikki Vatiainen h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, 
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] EAP authentication works first time, but goes into infinite loop on the second auth attempt

2010-11-17 Thread Andrew Clark 
Try EAPTLS_SessionResumption 0 and see if it works then.

I'm curious what supplicant you're using.

--
Andrew Clark


On Tue, Nov 16, 2010 at 4:20 PM, Johnson, Neil M neil-john...@uiowa.edu wrote:
 The first time I start the server I can successfully connect with a client, 
 but if I disconnect the client and attempt to reconnect, authentication seems 
 to go into an infinite loop.

 Config file and trace 4 log below.

 -Neil

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] EAP authentication works first time, but goes into infinite loop on the second auth attempt

2010-11-17 Thread Johnson, Neil M 
Andrew,

Setting that parameter seems to have fixed the issue, Thanks.

I'm using a Windows 7 laptop with the default supplicant.

Granted I'm doing a lot of rapid connecting and disconnecting while testing. I 
don't think an end user would be doing what I'm doing.

-Neil


-- 
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
319 384-0938
neil-john...@uiowa.edu 


 -Original Message-
 From: Andrew Clark [mailto:a...@umn.edu]
 Sent: Wednesday, November 17, 2010 8:25 AM
 To: Johnson, Neil M
 Cc: radiator@open.com.au
 Subject: Re: [RADIATOR] EAP authentication works first time, but goes
 into infinite loop on the second auth attempt
 
 Try EAPTLS_SessionResumption 0 and see if it works then.
 
 I'm curious what supplicant you're using.
 
 --
 Andrew Clark
 
 
 On Tue, Nov 16, 2010 at 4:20 PM, Johnson, Neil M neil-
 john...@uiowa.edu wrote:
  The first time I start the server I can successfully connect with a
 client, but if I disconnect the client and attempt to reconnect,
 authentication seems to go into an infinite loop.
 
  Config file and trace 4 log below.
 
  -Neil
 
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] EAP authentication works first time, but goes into infinite loop on the second auth attempt

2010-11-17 Thread Andrew Clark 
Well, I've seen the same thing on Windows boxes with the default
supplicant using a Trapeze wireless system.  What have you got for
access points, etc.?  I'm also wondering whether this isn't an OpenSSL
issue.

--
Andrew CLark

On Wed, Nov 17, 2010 at 8:41 AM, Johnson, Neil M neil-john...@uiowa.edu wrote:
 Andrew,

 Setting that parameter seems to have fixed the issue, Thanks.

 I'm using a Windows 7 laptop with the default supplicant.

 Granted I'm doing a lot of rapid connecting and disconnecting while testing. 
 I don't think an end user would be doing what I'm doing.

 -Neil


 --
 Neil Johnson
 Network Engineer
 Information Technology Services
 The University of Iowa
 319 384-0938
 neil-john...@uiowa.edu


 -Original Message-
 From: Andrew Clark [mailto:a...@umn.edu]
 Sent: Wednesday, November 17, 2010 8:25 AM
 To: Johnson, Neil M
 Cc: radiator@open.com.au
 Subject: Re: [RADIATOR] EAP authentication works first time, but goes
 into infinite loop on the second auth attempt

 Try EAPTLS_SessionResumption 0 and see if it works then.

 I'm curious what supplicant you're using.

 --
 Andrew Clark


 On Tue, Nov 16, 2010 at 4:20 PM, Johnson, Neil M neil-
 john...@uiowa.edu wrote:
  The first time I start the server I can successfully connect with a
 client, but if I disconnect the client and attempt to reconnect,
 authentication seems to go into an infinite loop.
 
  Config file and trace 4 log below.
 
  -Neil
 

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] EAP authentication works first time, but goes into infinite loop on the second auth attempt

2010-11-17 Thread Johnson, Neil M 
We are using Meru.

-Neil


-- 
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
319 384-0938
neil-john...@uiowa.edu 


 -Original Message-
 From: Andrew Clark [mailto:a...@umn.edu]
 Sent: Wednesday, November 17, 2010 8:48 AM
 To: Johnson, Neil M
 Cc: radiator@open.com.au
 Subject: Re: [RADIATOR] EAP authentication works first time, but goes
 into infinite loop on the second auth attempt
 
 Well, I've seen the same thing on Windows boxes with the default
 supplicant using a Trapeze wireless system.  What have you got for
 access points, etc.?  I'm also wondering whether this isn't an OpenSSL
 issue.
 
 --
 Andrew CLark
 
 On Wed, Nov 17, 2010 at 8:41 AM, Johnson, Neil M neil-
 john...@uiowa.edu wrote:
  Andrew,
 
  Setting that parameter seems to have fixed the issue, Thanks.
 
  I'm using a Windows 7 laptop with the default supplicant.
 
  Granted I'm doing a lot of rapid connecting and disconnecting while
 testing. I don't think an end user would be doing what I'm doing.
 
  -Neil
 
 
  --
  Neil Johnson
  Network Engineer
  Information Technology Services
  The University of Iowa
  319 384-0938
  neil-john...@uiowa.edu
 
 
  -Original Message-
  From: Andrew Clark [mailto:a...@umn.edu]
  Sent: Wednesday, November 17, 2010 8:25 AM
  To: Johnson, Neil M
  Cc: radiator@open.com.au
  Subject: Re: [RADIATOR] EAP authentication works first time, but
 goes
  into infinite loop on the second auth attempt
 
  Try EAPTLS_SessionResumption 0 and see if it works then.
 
  I'm curious what supplicant you're using.
 
  --
  Andrew Clark
 
 
  On Tue, Nov 16, 2010 at 4:20 PM, Johnson, Neil M neil-
  john...@uiowa.edu wrote:
   The first time I start the server I can successfully connect with
 a
  client, but if I disconnect the client and attempt to reconnect,
  authentication seems to go into an infinite loop.
  
   Config file and trace 4 log below.
  
   -Neil
  
 
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

(RADIATOR) EAP Authentication problem with Win2000

2003-09-09 Thread Arangeh, Dordaneh 








Hello everybody,

I am running radiator 3.6 with a quite simple configuration
as follows:

--

Foreground

LogStdout

LogDir
.

DbDir
.

 Secret xxx

 DupInterval 0

 IgnoreAcctSignature

/Client



 AuthBy PLSQL

 NoDefault

 DBSource dbi:Oracle:xx.

 DBUsername 

 DBAuth




 #
Authentication

 AutoMPPEKeys

 EAPType MD5-Challenge

 AuthBlock BEGIN \


NETngRadius.getUserData ('%n',:passwd,:reply_item);\


END;



 AuthParamDef :passwd,
User-Password, check

 AuthParamDef :reply_item, GENERIC,
reply

 /Auth



/Realm





I am trying to use IEEE802.1x with win2000. In
Win2000 the authentication is set to Protected EAP(PEAP)
. After entering the username and password in logon credentials menu, following
error message is returned in radiusd:

.

Tue
Sep 9 13:33:20
2003: INFO: EAP Nak desires type 25

Tue
Sep 9 13:33:20
2003: INFO: Access rejected for test: Desired EAP type 25 not permitted

..



It seems that radiusd does not
recognize the desired EAP. 



Thanks in advance for your help or suggestions.





Regards

Dordaneh

Re: (RADIATOR) EAP Authentication problem with Win2000

2003-09-09 Thread Mike McCauley 
Hello,

Your client is trying to start a PEAP authentication, but your Radiator 
configuration specifies only MD5-Challenge.

See the examples in goodies/eap_peap.cfg for PEAP configrations.

Cheers.

On Tue, 9 Sep 2003 10:31 pm, Arangeh, Dordaneh wrote:
 Hello everybody,
 I am running radiator 3.6 with a quite simple configuration as follows:
 
 --
 Foreground
 LogStdout
 LogDir  .
 DbDir   .
 Secret  xxx
 DupInterval 0
 IgnoreAcctSignature
 /Client

  AuthBy PLSQL
 NoDefault
 DBSourcedbi:Oracle:xx.
 DBUsername  
 DBAuth  

 # Authentication
 AutoMPPEKeys
 EAPType MD5-Challenge
 AuthBlock   BEGIN \
NETngRadius.getUserData
 ('%n',:passwd,:reply_item);\
 END;

 AuthParamDef:passwd,User-Password,  check
 AuthParamDef:reply_item,GENERIC,reply
 /Auth
 /Realm

 I am trying to use IEEE802.1x with win2000. In Win2000 the
 authentication is set to Protected EAP(PEAP) . After entering the
 username and password in logon credentials menu, following error message
 is returned in radiusd:
 ...
 Tue Sep  9 13:33:20 2003: INFO: EAP Nak desires type 25
 Tue Sep  9 13:33:20 2003: INFO: Access rejected for test: Desired EAP
 type 25 not permitted
 ...

 It seems that radiusd does not recognize the desired EAP.

 Thanks in advance for your help or suggestions.


 Regards
 Dordaneh

-- 
Mike McCauley   [EMAIL PROTECTED]
Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985   Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) EAP Authentication

2003-08-28 Thread Hugh Irvine 
Hello Chris -

I will need to see a copy of your configuration file (no secrets) 
together with a trace 4 debug from Radiator showing what is happening. 
Also note that you should be running Radiator 3.6 plus all the latest 
patches.

Could you also provide more details on what you mean by The Radiator 
servers are setup to communicate securely.?

And what hardware/software platform are you running and what version of 
Perl, etc.?

regards

Hugh

On Thursday, Aug 28, 2003, at 04:27 Australia/Melbourne, Christian 
Fredrickson wrote:

I have a Radiator server setup to authenticate users via Wireless 
Access
Points. The Radiator servers are setup to communicate securely. I have 
set
my Radiator server to authenticate using the file provided by default. 
I can
authenticate users with the radpwtst provided with the install from the
local box, but when trying to authenticate users via the wireless 
network, I
get the following error:

Wed Aug 27 12:14:29 2003: DEBUG: Handling with Radius::AuthFILE:
Wed Aug 27 12:14:29 2003: DEBUG: Handling with EAP: code 2, 13, 23
Wed Aug 27 12:14:29 2003: DEBUG: Response type 1
Wed Aug 27 12:14:29 2003: INFO: Access rejected for mikem: EAP
authentication is
 not permitted.
We will be using the SSLeay module for secure communication. This is a
Windows server. I have downloaded the SSLeay.dll and Libeay.dll, but 
receive
errors while testing those. Has anyone built these DLLs and have them
working?

Thank you,

Chris

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

(RADIATOR) EAP Authentication

2003-08-27 Thread Christian Fredrickson 
I have a Radiator server setup to authenticate users via Wireless Access
Points. The Radiator servers are setup to communicate securely. I have set
my Radiator server to authenticate using the file provided by default. I can
authenticate users with the radpwtst provided with the install from the
local box, but when trying to authenticate users via the wireless network, I
get the following error:

Wed Aug 27 12:14:29 2003: DEBUG: Handling with Radius::AuthFILE:
Wed Aug 27 12:14:29 2003: DEBUG: Handling with EAP: code 2, 13, 23
Wed Aug 27 12:14:29 2003: DEBUG: Response type 1
Wed Aug 27 12:14:29 2003: INFO: Access rejected for mikem: EAP
authentication is
 not permitted.

We will be using the SSLeay module for secure communication. This is a
Windows server. I have downloaded the SSLeay.dll and Libeay.dll, but receive
errors while testing those. Has anyone built these DLLs and have them
working?

Thank you,

Chris

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.