Bug 44916 - (U@S 4.1) RADIUS NTLM auth fails with Cisco APs due to Station ID format
(U@S 4.1) RADIUS NTLM auth fails with Cisco APs due to Station ID format
Status: CLOSED FIXED
Product: UCS@school
Classification: Unclassified
Component: Radius
UCS@school 4.1 R2
Other Linux
: P5 normal (vote)
: UCS@school 4.1 R2 v13
Assigned To: Sönke Schwardt-Krummrich
Florian Best
:
Depends on: 42722
Blocks: 44917
  Show dependency treegraph
 
Reported: 2017-06-30 17:46 CEST by Sönke Schwardt-Krummrich
Modified: 2017-09-12 13:18 CEST (History)
6 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.171
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional): External feedback
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sönke Schwardt-Krummrich univentionstaff 2017-06-30 17:46:34 CEST
This also affects UCS@school

+++ This bug was initially created as a clone of Bug #42722 +++

This originates in a forum post[1] where the user reports the following traceback when he tries to authenticate with RADIUS:

------------------------------------------------------------
Traceback (most recent call last):
  File "/usr/bin/univention-radius-ntlm-auth", line 87, in <module>
    sys.exit(main())
  File "/usr/bin/univention-radius-ntlm-auth", line 69, in main
    stationId = stationId.decode('hex')
  File "/usr/lib/python2.7/encodings/hex_codec.py", line 42, in hex_decode
    output = binascii.a2b_hex(input)
TypeError: Non-hexadecimal digit found
------------------------------------------------------------

Debugging revealed that the station ID sent by his Cisco AP looks like this: "1234.5678.09ab"

The problem is that the "univention-radius-ntlm-auth" script assumes that the station ID uses the format "12.34.56.78.90.ab" (or "12.34.56.78.90.ab") — two hex digits followed by an arbitrary, ignored character.

A potential fix is to change this to simply remove anything that's not a hex digit. The attached diff does exactly that.

[1] http://forum.univention.de/viewtopic.php?f=56&t=6143
Comment 1 Sönke Schwardt-Krummrich univentionstaff 2017-07-11 13:32:03 CEST
All non hexadecimal characters are now stripped from station id before decoding the station id == > no failure anymore because of station ids.

Please note that the station id is not used in UCS@school's auth helper
ucs-school-ntlm-auth-suidwrapper!
But there is a similar but more complex auth helper in univention-radius that uses the same CLI arguments. That's why --station-id has not been removed from argument list.

ucs-school-radius-802.1x.yaml:
r81030 | Bug #43421, #44603, #44900, #44916, #44918: updated advisory

ucs-test-ucsschool (3.0.17-62):
r81034 | Bug #44916: add test with station id

ucs-school-radius-802.1x (5.0.1-1):
r80752 | Bug #44916: support different types of stationIds


Package: ucs-school-radius-802.1x
Version: 5.0.1-1.17.201707111320
Branch: ucs_4.1-0
Scope: ucs-school-4.1r2

Before:
=======

root@master63:~# /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username=None --challenge=00 --nt-response=00 --station-id=1122-3344-5566
Traceback (most recent call last):
  File "/usr/bin/ucs-school-ntlm-auth", line 132, in <module>
    sys.exit(main())
  File "/usr/bin/ucs-school-ntlm-auth", line 118, in main
    stationId = stationId.decode('hex')
  File "/usr/lib/python2.7/encodings/hex_codec.py", line 42, in hex_decode
    output = binascii.a2b_hex(input)
TypeError: Non-hexadecimal digit found

root@master63:~# /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username=None --challenge=00 --nt-response=00 --station-id=1122.3344.5566
Traceback (most recent call last):
  File "/usr/bin/ucs-school-ntlm-auth", line 132, in <module>
    sys.exit(main())
  File "/usr/bin/ucs-school-ntlm-auth", line 118, in main
    stationId = stationId.decode('hex')
  File "/usr/lib/python2.7/encodings/hex_codec.py", line 42, in hex_decode
    output = binascii.a2b_hex(input)
TypeError: Non-hexadecimal digit found

root@master63:~# /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username=None --challenge=00 --nt-response=00 --station-id=11-22-33-44-55-66
Logon failure (0xc000006d)


After:
======
root@master63:~# /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username=None --challenge=00 --nt-response=00 --station-id=1122.3344.5566
Logon failure (0xc000006d)
root@master63:~# /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username=None --challenge=00 --nt-response=00 --station-id=11-22-33-44-55-66
Logon failure (0xc000006d)
root@master63:~# /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username=None --challenge=00 --nt-response=00 --station-id=1122-3344-5566
Logon failure (0xc000006d)
root@master63:~# /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username=None --challenge=00 --nt-response=00 --station-id=112233445566
Logon failure (0xc000006d)
root@master63:~# /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username=None --challenge=00 --nt-response=00 --station-id=11:22:33:44:55:66
Logon failure (0xc000006d)
Comment 2 Florian Best univentionstaff 2017-07-19 16:36:48 CEST
OK: different station id formats are supported
~OK: the ucs-test changes: added parameter is unused
OK: YAML
Comment 3 Sönke Schwardt-Krummrich univentionstaff 2017-09-12 13:18:21 CEST
UCS@school 4.1 R2 v13 has been released.

http://docs.software-univention.de/changelog-ucsschool-4.1R2v13-de.html

If this error occurs again, please clone this bug.