I'm not sure it's common that clients speak directly to a radius server.
Usually there is a NAS in between whether it be VPN concentrator,
switch, wireless controller/AP etc. If your clients reside on subnets
that have no visibility to the Radius server and NAS management subnets
then you'd only need to check your NAS devices for OpenSSL related
vulnerabilities, no?
--
Jason Watts
Pratt Institute, Academic Computing
Senior Network Administrator
p. 718-399-4219
f. 718-399-3416
Hanset, Philippe C wrote:
All,
We have been informing eduroam connected schools in the US that were vulnerable
to heartbleed (about 10 schools were vulnerable out of 180 connected to
eduroam-US, less than 5%).
The eduroam federation did testing for all eduroam-connected campuses to
evaluate the level of vulnerability and we have informed each RADIUS
administrator
independently.
This said, ANY campus that operates a 802.1X network and uses a RADIUS server
using OpenSSL could be potentially at risk since an attacker can access the
RADIUS server via the local WPA/WAP2-enterprise network.
It does require for the attacker to be physically on campus and join the SSID,
but the risk still exists!
Please analyze your systems for the vulnerability (look into the version of
OpenSSL that you are running)
and take the appropriate measures.
Here are a few links about Heartbleed and RADIUS
http://freeradius.org/security.html
http://www.open.com.au/pipermail/radiator-announce/2014-April/000024.html
https://confluence.terena.org/display/H2eduroam/heartbleed-note
Thank you,
Philippe
Philippe Hanset
www.eduroam.us
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
