First Last Prev Next    This bug is not in your last search results.
Bug 42722 - RADIUS NTLM auth fails with Cisco APs due to Station ID format
RADIUS NTLM auth fails with Cisco APs due to Station ID format
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Radius
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.2-2-errata
Assigned To: Sönke Schwardt-Krummrich
Florian Best
:
Depends on:
Blocks: 44916 44917
  Show dependency treegraph
 
Reported: 2016-10-20 15:17 CEST by Moritz Bunkus
Modified: 2017-11-08 14:59 CET (History)
5 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.171
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): External feedback
Max CVSS v3 score:
best: Patch_Available+

Attachments
remove non hex digits from station ID via regex (779 bytes, patch)
2016-10-20 15:17 CEST, Moritz Bunkus 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Moritz Bunkus 2016-10-20 15:17:48 CEST 
Created attachment 8141 [details]
remove non hex digits from station ID via regex

This originates in a forum post[1] where the user reports the following traceback when he tries to authenticate with RADIUS:

------------------------------------------------------------
Traceback (most recent call last):
  File "/usr/bin/univention-radius-ntlm-auth", line 87, in <module>
    sys.exit(main())
  File "/usr/bin/univention-radius-ntlm-auth", line 69, in main
    stationId = stationId.decode('hex')
  File "/usr/lib/python2.7/encodings/hex_codec.py", line 42, in hex_decode
    output = binascii.a2b_hex(input)
TypeError: Non-hexadecimal digit found
------------------------------------------------------------

Debugging revealed that the station ID sent by his Cisco AP looks like this: "1234.5678.09ab"

The problem is that the "univention-radius-ntlm-auth" script assumes that the station ID uses the format "12.34.56.78.90.ab" (or "12.34.56.78.90.ab") — two hex digits followed by an arbitrary, ignored character.

A potential fix is to change this to simply remove anything that's not a hex digit. The attached diff does exactly that.

[1] http://forum.univention.de/viewtopic.php?f=56&t=6143
Comment 1 Florian Best univentionstaff 2017-10-23 12:18:25 CEST 
The fix is already part of UCS@school ucs-school-ntlm-auth but not for UCS univention-ntlm-auth. We should port the changes to UCS.
Comment 2 Sönke Schwardt-Krummrich univentionstaff 2017-10-25 18:12:24 CEST 
Prepared in feature branch sschwardt/42722/422/univention-radius
Comment 3 Florian Best univentionstaff 2017-10-25 18:35:31 CEST 
(In reply to Sönke Schwardt-Krummrich from comment #2)
> Prepared in feature branch sschwardt/42722/422/univention-radius
LGTM, I added 2 comments. Otherwise you can merge. All the logging stuff we don't want to add here?
Comment 4 Sönke Schwardt-Krummrich univentionstaff 2017-11-02 16:09:38 CET 
univention-radius.yaml:
2a156ce6a7ba | Bug #42722: Merge branch 'sschwardt/42722/422/univention-radius' into 4.2-2
ba2a0e401edb | Bug #42722: add advisory

univention-radius (4.0.0-5):
2a156ce6a7ba | Bug #42722: Merge branch 'sschwardt/42722/422/univention-radius' into 4.2-2
0bde306e6f2a | Bug #42722: add changelog entry
05feb73b55fd | Bug #42722: use empty string as default - in accordance with UCS@school variant
1ec6edfc72a3 | Bug #42722: remove all non-hexadecimal characters from station id

Package: univention-radius
Version: 4.0.0-5A~4.2.0.201711021538
Branch: ucs_4.2-0
Scope: errata4.2-2
Comment 5 Florian Best univentionstaff 2017-11-02 16:33:35 CET 
OK: station id in CISCO AP format
/usr/bin/univention-radius-ntlm-auth --request-nt-key --username=Administrator --challenge=00 --nt-response=00 --station-id=1234.5678.09ab
Logon failure (0xc000006d)

OK: empty station id
/usr/bin/univention-radius-ntlm-auth --request-nt-key --username=Administrator --challenge=00 --nt-response=00
Logon failure (0xc000006d)

OK: YAML
Comment 6 Arvid Requate univentionstaff 2017-11-08 14:59:09 CET 
<http://errata.software-univention.de/ucs/4.2/213.html>
First Last Prev Next    This bug is not in your last search results.