Univention Bugzilla – Bug 44917
(U@S 4.2) RADIUS NTLM auth fails with Cisco APs due to Station ID format
Last modified: 2017-09-12 13:17:18 CEST
This also affects UCS@school +++ This bug was initially created as a clone of Bug #42722 +++ This originates in a forum post[1] where the user reports the following traceback when he tries to authenticate with RADIUS: ------------------------------------------------------------ Traceback (most recent call last): File "/usr/bin/univention-radius-ntlm-auth", line 87, in <module> sys.exit(main()) File "/usr/bin/univention-radius-ntlm-auth", line 69, in main stationId = stationId.decode('hex') File "/usr/lib/python2.7/encodings/hex_codec.py", line 42, in hex_decode output = binascii.a2b_hex(input) TypeError: Non-hexadecimal digit found ------------------------------------------------------------ Debugging revealed that the station ID sent by his Cisco AP looks like this: "1234.5678.09ab" The problem is that the "univention-radius-ntlm-auth" script assumes that the station ID uses the format "12.34.56.78.90.ab" (or "12.34.56.78.90.ab") — two hex digits followed by an arbitrary, ignored character. A potential fix is to change this to simply remove anything that's not a hex digit. The attached diff does exactly that. [1] http://forum.univention.de/viewtopic.php?f=56&t=6143
All non hexadecimal characters are now stripped from station id before decoding the station id == > no failure anymore because of station ids. Please note that the station id is not used in UCS@school's auth helper ucs-school-ntlm-auth-suidwrapper! But there is a similar but more complex auth helper in univention-radius that uses the same CLI arguments. That's why --station-id has not been removed from argument list. Patches have been ported from UCS@school 4.1R2 to UCS@school 4.2 (unfortunately with bug numbers of 4.1R2): ucs-school-radius-802.1x (6.0.1-1): r82474 | Bug #44916: support different types of stationIds Package: ucs-school-radius-802.1x Version: 6.0.1-1A~4.2.0.201708242117 Branch: ucs_4.2-0 Scope: ucs-school-4.2
QA: root@master64:~# /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username=None --challenge=00 --nt-response=00 --station-id=1122.3344.5566 Logon failure (0xc000006d) root@master64:~# /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username=None --challenge=00 --nt-response=00 --station-id=11-22-33-44-55-66 Logon failure (0xc000006d) root@master64:~# /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username=None --challenge=00 --nt-response=00 --station-id=1122-3344-5566 Logon failure (0xc000006d) root@master64:~# /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username=None --challenge=00 --nt-response=00 --station-id=112233445566 Logon failure (0xc000006d) root@master64:~# /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username=None --challenge=00 --nt-response=00 --station-id=11:22:33:44:55:66 Logon failure (0xc000006d)
OK: all formats are working OK: YAML
UCS@school 4.2 v3 has been released. http://docs.software-univention.de/changelog-ucsschool-4.2v3-de.html If this error occurs again, please clone this bug.