Univention Bugzilla – Bug 42722
RADIUS NTLM auth fails with Cisco APs due to Station ID format
Last modified: 2017-11-08 14:59:09 CET
Created attachment 8141 [details] remove non hex digits from station ID via regex This originates in a forum post[1] where the user reports the following traceback when he tries to authenticate with RADIUS: ------------------------------------------------------------ Traceback (most recent call last): File "/usr/bin/univention-radius-ntlm-auth", line 87, in <module> sys.exit(main()) File "/usr/bin/univention-radius-ntlm-auth", line 69, in main stationId = stationId.decode('hex') File "/usr/lib/python2.7/encodings/hex_codec.py", line 42, in hex_decode output = binascii.a2b_hex(input) TypeError: Non-hexadecimal digit found ------------------------------------------------------------ Debugging revealed that the station ID sent by his Cisco AP looks like this: "1234.5678.09ab" The problem is that the "univention-radius-ntlm-auth" script assumes that the station ID uses the format "12.34.56.78.90.ab" (or "12.34.56.78.90.ab") — two hex digits followed by an arbitrary, ignored character. A potential fix is to change this to simply remove anything that's not a hex digit. The attached diff does exactly that. [1] http://forum.univention.de/viewtopic.php?f=56&t=6143
The fix is already part of UCS@school ucs-school-ntlm-auth but not for UCS univention-ntlm-auth. We should port the changes to UCS.
Prepared in feature branch sschwardt/42722/422/univention-radius
(In reply to Sönke Schwardt-Krummrich from comment #2) > Prepared in feature branch sschwardt/42722/422/univention-radius LGTM, I added 2 comments. Otherwise you can merge. All the logging stuff we don't want to add here?
univention-radius.yaml: 2a156ce6a7ba | Bug #42722: Merge branch 'sschwardt/42722/422/univention-radius' into 4.2-2 ba2a0e401edb | Bug #42722: add advisory univention-radius (4.0.0-5): 2a156ce6a7ba | Bug #42722: Merge branch 'sschwardt/42722/422/univention-radius' into 4.2-2 0bde306e6f2a | Bug #42722: add changelog entry 05feb73b55fd | Bug #42722: use empty string as default - in accordance with UCS@school variant 1ec6edfc72a3 | Bug #42722: remove all non-hexadecimal characters from station id Package: univention-radius Version: 4.0.0-5A~4.2.0.201711021538 Branch: ucs_4.2-0 Scope: errata4.2-2
OK: station id in CISCO AP format /usr/bin/univention-radius-ntlm-auth --request-nt-key --username=Administrator --challenge=00 --nt-response=00 --station-id=1234.5678.09ab Logon failure (0xc000006d) OK: empty station id /usr/bin/univention-radius-ntlm-auth --request-nt-key --username=Administrator --challenge=00 --nt-response=00 Logon failure (0xc000006d) OK: YAML
<http://errata.software-univention.de/ucs/4.2/213.html>