Bug 42722 - RADIUS NTLM auth fails with Cisco APs due to Station ID format
RADIUS NTLM auth fails with Cisco APs due to Station ID format
Product: UCS
Classification: Unclassified
Component: Radius
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.2-2-errata
Assigned To: Sönke Schwardt-Krummrich
Florian Best
Depends on:
Blocks: 44916 44917
  Show dependency treegraph
Reported: 2016-10-20 15:17 CEST by Moritz Bunkus
Modified: 2017-11-08 14:59 CET (History)
5 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.171
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional): External feedback
Max CVSS v3 score:
best: Patch_Available+

remove non hex digits from station ID via regex (779 bytes, patch)
2016-10-20 15:17 CEST, Moritz Bunkus
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Moritz Bunkus 2016-10-20 15:17:48 CEST
Created attachment 8141 [details]
remove non hex digits from station ID via regex

This originates in a forum post[1] where the user reports the following traceback when he tries to authenticate with RADIUS:

Traceback (most recent call last):
  File "/usr/bin/univention-radius-ntlm-auth", line 87, in <module>
  File "/usr/bin/univention-radius-ntlm-auth", line 69, in main
    stationId = stationId.decode('hex')
  File "/usr/lib/python2.7/encodings/hex_codec.py", line 42, in hex_decode
    output = binascii.a2b_hex(input)
TypeError: Non-hexadecimal digit found

Debugging revealed that the station ID sent by his Cisco AP looks like this: "1234.5678.09ab"

The problem is that the "univention-radius-ntlm-auth" script assumes that the station ID uses the format "" (or "") — two hex digits followed by an arbitrary, ignored character.

A potential fix is to change this to simply remove anything that's not a hex digit. The attached diff does exactly that.

[1] http://forum.univention.de/viewtopic.php?f=56&t=6143
Comment 1 Florian Best univentionstaff 2017-10-23 12:18:25 CEST
The fix is already part of UCS@school ucs-school-ntlm-auth but not for UCS univention-ntlm-auth. We should port the changes to UCS.
Comment 2 Sönke Schwardt-Krummrich univentionstaff 2017-10-25 18:12:24 CEST
Prepared in feature branch sschwardt/42722/422/univention-radius
Comment 3 Florian Best univentionstaff 2017-10-25 18:35:31 CEST
(In reply to Sönke Schwardt-Krummrich from comment #2)
> Prepared in feature branch sschwardt/42722/422/univention-radius
LGTM, I added 2 comments. Otherwise you can merge. All the logging stuff we don't want to add here?
Comment 4 Sönke Schwardt-Krummrich univentionstaff 2017-11-02 16:09:38 CET
2a156ce6a7ba | Bug #42722: Merge branch 'sschwardt/42722/422/univention-radius' into 4.2-2
ba2a0e401edb | Bug #42722: add advisory

univention-radius (4.0.0-5):
2a156ce6a7ba | Bug #42722: Merge branch 'sschwardt/42722/422/univention-radius' into 4.2-2
0bde306e6f2a | Bug #42722: add changelog entry
05feb73b55fd | Bug #42722: use empty string as default - in accordance with UCS@school variant
1ec6edfc72a3 | Bug #42722: remove all non-hexadecimal characters from station id

Package: univention-radius
Version: 4.0.0-5A~
Branch: ucs_4.2-0
Scope: errata4.2-2
Comment 5 Florian Best univentionstaff 2017-11-02 16:33:35 CET
OK: station id in CISCO AP format
/usr/bin/univention-radius-ntlm-auth --request-nt-key --username=Administrator --challenge=00 --nt-response=00 --station-id=1234.5678.09ab
Logon failure (0xc000006d)

OK: empty station id
/usr/bin/univention-radius-ntlm-auth --request-nt-key --username=Administrator --challenge=00 --nt-response=00
Logon failure (0xc000006d)

Comment 6 Arvid Requate univentionstaff 2017-11-08 14:59:09 CET