Bug 44916 – (U@S 4.1) RADIUS NTLM auth fails with Cisco APs due to Station ID format

Bug 44916 - (U@S 4.1) RADIUS NTLM auth fails with Cisco APs due to Station ID format


Summary:	(U@S 4.1) RADIUS NTLM auth fails with Cisco APs due to Station ID format

Status:	CLOSED FIXED

Product:	UCS@school
Classification:	Unclassified
Component:	Radius
Version:	UCS@school 4.1 R2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS@school 4.1 R2 v13
Assigned To:	Sönke Schwardt-Krummrich
QA Contact:	Florian Best

URL:
Keywords:

Depends on:	42722
Blocks:	44917
	Show dependency tree / graph

Reported:	2017-06-30 17:46 CEST by Sönke Schwardt-Krummrich
Modified:	2017-09-12 13:18 CEST (History)
CC List:	6 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.171
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	External feedback
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sönke Schwardt-Krummrich

2017-06-30 17:46:34 CEST

This also affects UCS@school

+++ This bug was initially created as a clone of Bug #42722 +++

This originates in a forum post[1] where the user reports the following traceback when he tries to authenticate with RADIUS:

------------------------------------------------------------
Traceback (most recent call last):
  File "/usr/bin/univention-radius-ntlm-auth", line 87, in <module>
    sys.exit(main())
  File "/usr/bin/univention-radius-ntlm-auth", line 69, in main
    stationId = stationId.decode('hex')
  File "/usr/lib/python2.7/encodings/hex_codec.py", line 42, in hex_decode
    output = binascii.a2b_hex(input)
TypeError: Non-hexadecimal digit found
------------------------------------------------------------

Debugging revealed that the station ID sent by his Cisco AP looks like this: "1234.5678.09ab"

The problem is that the "univention-radius-ntlm-auth" script assumes that the station ID uses the format "12.34.56.78.90.ab" (or "12.34.56.78.90.ab") — two hex digits followed by an arbitrary, ignored character.

A potential fix is to change this to simply remove anything that's not a hex digit. The attached diff does exactly that.

[1] http://forum.univention.de/viewtopic.php?f=56&t=6143

Comment 1 Sönke Schwardt-Krummrich

2017-07-11 13:32:03 CEST

All non hexadecimal characters are now stripped from station id before decoding the station id == > no failure anymore because of station ids.

Please note that the station id is not used in UCS@school's auth helper
ucs-school-ntlm-auth-suidwrapper!
But there is a similar but more complex auth helper in univention-radius that uses the same CLI arguments. That's why --station-id has not been removed from argument list.

ucs-school-radius-802.1x.yaml:
r81030 | Bug #43421, #44603, #44900, #44916, #44918: updated advisory

ucs-test-ucsschool (3.0.17-62):
r81034 | Bug #44916: add test with station id

ucs-school-radius-802.1x (5.0.1-1):
r80752 | Bug #44916: support different types of stationIds


Package: ucs-school-radius-802.1x
Version: 5.0.1-1.17.201707111320
Branch: ucs_4.1-0
Scope: ucs-school-4.1r2

Before:
=======

root@master63:~# /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username=None --challenge=00 --nt-response=00 --station-id=1122-3344-5566
Traceback (most recent call last):
  File "/usr/bin/ucs-school-ntlm-auth", line 132, in <module>
    sys.exit(main())
  File "/usr/bin/ucs-school-ntlm-auth", line 118, in main
    stationId = stationId.decode('hex')
  File "/usr/lib/python2.7/encodings/hex_codec.py", line 42, in hex_decode
    output = binascii.a2b_hex(input)
TypeError: Non-hexadecimal digit found

root@master63:~# /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username=None --challenge=00 --nt-response=00 --station-id=1122.3344.5566
Traceback (most recent call last):
  File "/usr/bin/ucs-school-ntlm-auth", line 132, in <module>
    sys.exit(main())
  File "/usr/bin/ucs-school-ntlm-auth", line 118, in main
    stationId = stationId.decode('hex')
  File "/usr/lib/python2.7/encodings/hex_codec.py", line 42, in hex_decode
    output = binascii.a2b_hex(input)
TypeError: Non-hexadecimal digit found

root@master63:~# /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username=None --challenge=00 --nt-response=00 --station-id=11-22-33-44-55-66
Logon failure (0xc000006d)


After:
======
root@master63:~# /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username=None --challenge=00 --nt-response=00 --station-id=1122.3344.5566
Logon failure (0xc000006d)
root@master63:~# /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username=None --challenge=00 --nt-response=00 --station-id=11-22-33-44-55-66
Logon failure (0xc000006d)
root@master63:~# /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username=None --challenge=00 --nt-response=00 --station-id=1122-3344-5566
Logon failure (0xc000006d)
root@master63:~# /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username=None --challenge=00 --nt-response=00 --station-id=112233445566
Logon failure (0xc000006d)
root@master63:~# /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username=None --challenge=00 --nt-response=00 --station-id=11:22:33:44:55:66
Logon failure (0xc000006d)

Comment 2 Florian Best

2017-07-19 16:36:48 CEST

OK: different station id formats are supported
~OK: the ucs-test changes: added parameter is unused
OK: YAML

Comment 3 Sönke Schwardt-Krummrich

2017-09-12 13:18:21 CEST

UCS@school 4.1 R2 v13 has been released.

http://docs.software-univention.de/changelog-ucsschool-4.1R2v13-de.html

If this error occurs again, please clone this bug.