Univention Bugzilla – Bug 49283
PAP Authentication with radius does't check univentionNetworkAccess attribute
Last modified: 2024-01-31 11:13:52 CET
PAP Authentication with radius doesn't check univentionNetworkAccess attribute The univentionNetworkAccess attribute is checked through our ntlm-auth-helper for mschap. PAP Authentication only checks the password. This is unexpected behaviour. The PAP authentication should either check for the attribute as well or be deactivated. Note: With EAP-PEAP (e.g. for wpa enterprise) it is not possible to use PAP. With EAP-TTLS it would be possible but that is currently broken (bug 49289). That means that this bug is not affecting 802.11X but only services that use radius directly without EAP.
https://help.univention.com/t//11318
Hi TL;DR: Please consider using unlang[1] for Authorization checking instead of networkAccess.py as use in the current ntlm-auth Python script. Currently univention-radius-ntlm-auth(-suidwrwapper) seems to do 2 things: It handles the MSCHAP challenge in sites-enabled/inner-tunnel during PEAP-MSCHAPv2 (Authentication) and validates authorization-related things like univentionNetworkAccess and certain sambaAcctFlags in the LDAP directory via functions provided in networkAccess.py (package: univention-radius). From the glimpse that I've given at the code, much of that logic could be handled via unlang[1] statements in FreeRADIUS. Unlang is pretty flexible and the LDAP module rlm_ldap is performant and robust. It can also do caching and LDAP backend failover, all things UCS could leave up to FreeRADIUS to take care. By moving the Authorization part of the ntlm-auth script into unlang you could likely include that unlang code block into both post-auth section of sites-enabled/default (for PAP) and sites-enabled/inner-tunnel (for PEAP-MSCHAPv2). Using unlang also leaves more room for site-specific customizations once you get the twist of how unlang works and how you can read additional Attributes from an LDAP directory in order to do even more complex checks if you have an actual need for it. What I see as additional bonus for UCS is the reduced amount of own code you have to maintain instead of leaving this to already present functions provided by FreeRADIUS. :-) If I can provide some more input for unlang, I'm open for discussions. -- Mathieu [1] https://freeradius.org/radiusd/man/unlang.html
This might be an issue at several schools - see Tickets.
Hello there, just ran into the same issue on an UCS 4.4-9 (Yes i know, it is outdated...) Has this issue been resolved in a newer version of UCS? Kind regards, Tino
Review and update the respective section in the UCS manual with the implementation of this issue. See https://docs.software-univention.de/manual/5.0/en/ip-config/radius.html#mac-authentication-bypass-with-computer-objects