Bug 44917 - (U@S 4.2) RADIUS NTLM auth fails with Cisco APs due to Station ID format
(U@S 4.2) RADIUS NTLM auth fails with Cisco APs due to Station ID format
Product: UCS@school
Classification: Unclassified
Component: Radius
UCS@school 4.2
Other Linux
: P5 normal (vote)
: UCS@school 4.2 v3
Assigned To: Sönke Schwardt-Krummrich
Florian Best
Depends on: 42722 44916
  Show dependency treegraph
Reported: 2017-06-30 17:47 CEST by Sönke Schwardt-Krummrich
Modified: 2017-09-12 13:17 CEST (History)
0 users

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.171
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): External feedback
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Sönke Schwardt-Krummrich univentionstaff 2017-06-30 17:47:37 CEST
This also affects UCS@school

+++ This bug was initially created as a clone of Bug #42722 +++

This originates in a forum post[1] where the user reports the following traceback when he tries to authenticate with RADIUS:

Traceback (most recent call last):
  File "/usr/bin/univention-radius-ntlm-auth", line 87, in <module>
  File "/usr/bin/univention-radius-ntlm-auth", line 69, in main
    stationId = stationId.decode('hex')
  File "/usr/lib/python2.7/encodings/hex_codec.py", line 42, in hex_decode
    output = binascii.a2b_hex(input)
TypeError: Non-hexadecimal digit found

Debugging revealed that the station ID sent by his Cisco AP looks like this: "1234.5678.09ab"

The problem is that the "univention-radius-ntlm-auth" script assumes that the station ID uses the format "" (or "") — two hex digits followed by an arbitrary, ignored character.

A potential fix is to change this to simply remove anything that's not a hex digit. The attached diff does exactly that.

[1] http://forum.univention.de/viewtopic.php?f=56&t=6143
Comment 1 Sönke Schwardt-Krummrich univentionstaff 2017-08-24 21:27:36 CEST
All non hexadecimal characters are now stripped from station id before decoding the station id == > no failure anymore because of station ids.

Please note that the station id is not used in UCS@school's auth helper
But there is a similar but more complex auth helper in univention-radius that uses the same CLI arguments. That's why --station-id has not been removed from argument list.

Patches have been ported from UCS@school 4.1R2 to UCS@school 4.2 (unfortunately with bug numbers of 4.1R2):

ucs-school-radius-802.1x (6.0.1-1):
r82474 | Bug #44916: support different types of stationIds

Package: ucs-school-radius-802.1x
Version: 6.0.1-1A~
Branch: ucs_4.2-0
Scope: ucs-school-4.2
Comment 2 Sönke Schwardt-Krummrich univentionstaff 2017-08-30 16:51:42 CEST
root@master64:~# /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username=None --challenge=00 --nt-response=00 --station-id=1122.3344.5566
Logon failure (0xc000006d)
root@master64:~# /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username=None --challenge=00 --nt-response=00 --station-id=11-22-33-44-55-66
Logon failure (0xc000006d)
root@master64:~# /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username=None --challenge=00 --nt-response=00 --station-id=1122-3344-5566
Logon failure (0xc000006d)
root@master64:~# /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username=None --challenge=00 --nt-response=00 --station-id=112233445566
Logon failure (0xc000006d)
root@master64:~# /usr/bin/ucs-school-ntlm-auth-suidwrapper --request-nt-key --username=None --challenge=00 --nt-response=00 --station-id=11:22:33:44:55:66
Logon failure (0xc000006d)
Comment 3 Florian Best univentionstaff 2017-08-31 10:58:33 CEST
OK: all formats are working
Comment 4 Sönke Schwardt-Krummrich univentionstaff 2017-09-12 13:17:18 CEST
UCS@school 4.2 v3 has been released.


If this error occurs again, please clone this bug.