Univention Bugzilla – Bug 57550
Access is accepted even though it is denied when account is present but not authorized
Last modified: 2024-08-28 17:59:23 CEST
A user is present within UCS with username = "username" and password = "password". The user has no configuration applied to it, is only member of the Domain Users group and does not have RADIUS checked. If the user then tries to authenticate, he is still allowed access. Output from univention-radius-check-access: sudo univention-radius-check-access --username username --station-id none DEBUG: [user=username; mac=e:::::] Given username: 'username' DEBUG: [user=username; mac=e:::::] Given stationId: 'none' DEBUG: [user=username; mac=e:::::] UCS@school RADIUS support is not installed DEBUG: [user=username; mac=e:::::] Checking LDAP settings for user DEBUG: [user=username; mac=e:::::] DENY 'uid=username,cn=users,dc=example' DEBUG: [user=username; mac=e:::::] -> DENY 'cn=Domain Users,cn=groups,dc=example' DEBUG: [user=username; mac=e:::::] -> -> DENY 'cn=Users,cn=Builtin,dc=example' INFO: [user=username; mac=e:::::] Login attempt denied by LDAP settings DEBUG: [user=username; mac=e:::::] User is not allowed to authenticate via RADIUS DEBUG: [user=username; mac=e:::::] --- Thus access is DENIED. Output from radtest: radtest username password localhost 1812 testing123 Sent Access-Request Id 252 from 0.0.0.0:34078 to 127.0.0.1:1812 length 76 User-Name = "username" User-Password = "password" NAS-IP-Address = [REDACTED] NAS-Port = 1812 Message-Authenticator = 0x00 Cleartext-Password = "password" Received Access-Accept Id 252 from 127.0.0.1:1812 to 127.0.0.1:34078 length 83 Reply-Message = "DEBUG: Not found, assigning default VLAN-ID" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "4010" I have currently selected 4010 as the default VLAN for "freeradius/vlan-id", because it is an invalid VLAN within Unifi and causes it to deny the connection nevertheless. This is a highly undesirable workaround though. If the UCR variable is unset, the user is allowed access to whatever VLAN is selected in Unifi. By default, this is the management VLAN. Please note that https://forge.univention.org/bugzilla/show_bug.cgi?id=56670 is a similar security issue and is already open since almost a year. If you want me to file for a CVE, I can do that.