Bug 49283 - PAP Authentication with radius does't check univentionNetworkAccess attribute
PAP Authentication with radius does't check univentionNetworkAccess attribute
Status: NEW
Product: UCS
Classification: Unclassified
Component: Radius
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
:
Depends on:
Blocks: 49282
  Show dependency treegraph
 
Reported: 2019-04-12 15:30 CEST by Jürn Brodersen
Modified: 2024-01-31 11:13 CET (History)
9 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2020020721000246, 2019011821001229
Bug group (optional):
Max CVSS v3 score: 4.3 (CVSS:3.0/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jürn Brodersen univentionstaff 2019-04-12 15:30:36 CEST
PAP Authentication with radius doesn't check univentionNetworkAccess attribute

The univentionNetworkAccess attribute is checked through our ntlm-auth-helper for mschap. PAP Authentication only checks the password.

This is unexpected behaviour. The PAP authentication should either check for the attribute as well or be deactivated.

Note:
With EAP-PEAP (e.g. for wpa enterprise) it is not possible to use PAP. With EAP-TTLS it would be possible but that is currently broken (bug 49289).
That means that this bug is not affecting 802.11X but only services that use radius directly without EAP.
Comment 1 Erik Damrose univentionstaff 2019-07-15 09:30:01 CEST
https://help.univention.com/t//11318
Comment 2 Mathieu Simon 2019-07-19 16:19:47 CEST
Hi

TL;DR: Please consider using unlang[1] for Authorization checking instead of networkAccess.py as use in the current ntlm-auth Python script.

Currently univention-radius-ntlm-auth(-suidwrwapper) seems to do 2 things: It handles the MSCHAP challenge in sites-enabled/inner-tunnel during PEAP-MSCHAPv2 (Authentication) and validates authorization-related things like univentionNetworkAccess and certain sambaAcctFlags in the LDAP directory via functions provided in networkAccess.py (package: univention-radius).

From the glimpse that I've given at the code, much of that logic could be handled via unlang[1] statements in FreeRADIUS. Unlang is pretty flexible and the LDAP module rlm_ldap is performant and robust. It can also do caching and LDAP backend failover, all things UCS could leave up to FreeRADIUS to take care.

By moving the Authorization part of the ntlm-auth script into unlang you could likely include that unlang code block into both post-auth section of sites-enabled/default (for PAP) and sites-enabled/inner-tunnel (for PEAP-MSCHAPv2).

Using unlang also leaves more room for site-specific customizations once you get the twist of how unlang works and how you can read additional Attributes from an LDAP directory in order to do even more complex checks if you have an actual need for it.

What I see as additional bonus for UCS is the reduced amount of own code you have to maintain instead of leaving this to already present functions provided by FreeRADIUS. :-)

If I can provide some more input for unlang, I'm open for discussions.

-- Mathieu


[1] https://freeradius.org/radiusd/man/unlang.html
Comment 3 Nico Stöckigt univentionstaff 2020-02-17 14:40:24 CET
This might be an issue at several schools - see Tickets.
Comment 5 tia 2023-03-07 15:53:42 CET
Hello there,

just ran into the same issue on an UCS 4.4-9 (Yes i know, it is outdated...)
Has this issue been resolved in a newer version of UCS?

Kind regards,
Tino
Comment 6 Nico Gulden univentionstaff 2024-01-31 11:13:52 CET
Review and update the respective section in the UCS manual with the implementation of this issue. See https://docs.software-univention.de/manual/5.0/en/ip-config/radius.html#mac-authentication-bypass-with-computer-objects