Univention Bugzilla – Bug 44916
(U@S 4.1) RADIUS NTLM auth fails with Cisco APs due to Station ID format
Last modified: 2017-09-12 13:18:21 CEST
This also affects UCS@school +++ This bug was initially created as a clone of Bug #42722 +++ This originates in a forum post[1] where the user reports the following traceback when he tries to authenticate with RADIUS: ------------------------------------------------------------ Traceback (most recent call last): File "/usr/bin/univention-radius-ntlm-auth", line 87, in <module> sys.exit(main()) File "/usr/bin/univention-radius-ntlm-auth", line 69, in main stationId = stationId.decode('hex') File "/usr/lib/python2.7/encodings/hex_codec.py", line 42, in hex_decode output = binascii.a2b_hex(input) TypeError: Non-hexadecimal digit found ------------------------------------------------------------ Debugging revealed that the station ID sent by his Cisco AP looks like this: "1234.5678.09ab" The problem is that the "univention-radius-ntlm-auth" script assumes that the station ID uses the format "12.34.56.78.90.ab" (or "12.34.56.78.90.ab") — two hex digits followed by an arbitrary, ignored character. A potential fix is to change this to simply remove anything that's not a hex digit. The attached diff does exactly that. [1] http://forum.univention.de/viewtopic.php?f=56&t=6143
All non hexadecimal characters are now stripped from station id before decoding the station id == > no failure anymore because of station ids. Please note that the station id is not used in UCS@school's auth helper ucs-school-ntlm-auth-suidwrapper! But there is a similar but more complex auth helper in univention-radius that uses the same CLI arguments. That's why --station-id has not been removed from argument list. ucs-school-radius-802.1x.yaml: r81030 | Bug #43421, #44603, #44900, #44916, #44918: updated advisory ucs-test-ucsschool (3.0.17-62): r81034 | Bug #44916: add test with station id ucs-school-radius-802.1x (5.0.1-1): r80752 | Bug #44916: support different types of stationIds Package: ucs-school-radius-802.1x Version: 5.0.1-1.17.201707111320 Branch: ucs_4.1-0 Scope: ucs-school-4.1r2 Before: ======= root@master63:~# /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username=None --challenge=00 --nt-response=00 --station-id=1122-3344-5566 Traceback (most recent call last): File "/usr/bin/ucs-school-ntlm-auth", line 132, in <module> sys.exit(main()) File "/usr/bin/ucs-school-ntlm-auth", line 118, in main stationId = stationId.decode('hex') File "/usr/lib/python2.7/encodings/hex_codec.py", line 42, in hex_decode output = binascii.a2b_hex(input) TypeError: Non-hexadecimal digit found root@master63:~# /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username=None --challenge=00 --nt-response=00 --station-id=1122.3344.5566 Traceback (most recent call last): File "/usr/bin/ucs-school-ntlm-auth", line 132, in <module> sys.exit(main()) File "/usr/bin/ucs-school-ntlm-auth", line 118, in main stationId = stationId.decode('hex') File "/usr/lib/python2.7/encodings/hex_codec.py", line 42, in hex_decode output = binascii.a2b_hex(input) TypeError: Non-hexadecimal digit found root@master63:~# /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username=None --challenge=00 --nt-response=00 --station-id=11-22-33-44-55-66 Logon failure (0xc000006d) After: ====== root@master63:~# /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username=None --challenge=00 --nt-response=00 --station-id=1122.3344.5566 Logon failure (0xc000006d) root@master63:~# /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username=None --challenge=00 --nt-response=00 --station-id=11-22-33-44-55-66 Logon failure (0xc000006d) root@master63:~# /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username=None --challenge=00 --nt-response=00 --station-id=1122-3344-5566 Logon failure (0xc000006d) root@master63:~# /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username=None --challenge=00 --nt-response=00 --station-id=112233445566 Logon failure (0xc000006d) root@master63:~# /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username=None --challenge=00 --nt-response=00 --station-id=11:22:33:44:55:66 Logon failure (0xc000006d)
OK: different station id formats are supported ~OK: the ucs-test changes: added parameter is unused OK: YAML
UCS@school 4.1 R2 v13 has been released. http://docs.software-univention.de/changelog-ucsschool-4.1R2v13-de.html If this error occurs again, please clone this bug.