Hello,
I have noticed a weird behavior of FreeRADIUS server included in the application RADIUS spread through the App Center.
According to the logic FreeRADIUS server should respond by “Access-Accept packet” if LDAP entry of user has the assigned univentionNetworkAccess object class or belongs to LDAP group that has the same object class. In all other scenarious it should return “Access-Reject packet” for all requests.
However, we have figured out the following (we used radtest tool):
-
The user has the parameter “Allow network access” or belongs to LDAP group with this parameter enabled:
-
Simple request to FreeRADIUS server without setting authentication method:
radtest <username> <user's password> <ldap server> 1812 <RADIUS client password>
We get the following response:
Sending Access-Request of id 164 to xxx.xxx.xxx.xxx port 1812 User-Name = "TestUser" User-Password = "xxxxxxxxxxx" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host xxx.xxx.xxx.xxx port 1812, id=164, length=20
-
Request to FreeRADIUS server with setting authentication method to MSCHAP:
radtest -t mschap <username> <user's password> <ldap server> 1812 <RADIUS client password>
We get the following response:
Sending Access-Request of id 197 to xxx.xxx.xxx.xxx port 1812 User-Name = "TestUser" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0x28c8a5df5a9438c8 MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000003ab93eb930a00a3b112ed3257de1cd0f1bf3059b264c13c8 rad_recv: Access-Accept packet from host xxx.xxx.xxx.xxx port 1812, id=197, length=84 MS-CHAP-MPPE-Keys = 0x3fefc50b0ff9a88e3aca91c7a6f443a421b9209c5780e6ce0000000000000000 MS-MPPE-Encryption-Policy = 0x00000002 MS-MPPE-Encryption-Types = 0x00000004
-
-
The user does not have the parameter “Allow network access” that means RADIUS server should always respond by REJECT.
- Simple request to FreeRADIUS server without setting authentication method:
We get the following response:radtest <username> <user's password> <ldap server> 1812 <RADIUS client password>
Sending Access-Request of id 81 to xxx.xxx.xxx.xxx port 1812 User-Name = "TestUser" User-Password = "xxxxxxxxxxxxx" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host xxx.xxx.xxx.xxx port 1812, id=81, length=20
- Request to FreeRADIUS server with setting authentication method to MSCHAP:
We get the following response:radtest -t mschap <username> <user's password> <ldap server> 1812 <RADIUS client password>
Sending Access-Request of id 101 to xxx.xxx.xxx.xxx port 1812 User-Name = "TestUser" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0x4e5ca55d6551cc7b MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000648f2a36ae1642ea518e7d24a7ffef000ca910f2fdcccbc1 rad_recv: Access-Reject packet from host xxx.xxx.xxx.xxx port 1812, id=101, length=61 MS-CHAP-Error = "\000E=691 R=1 C=6d6d8012da7bb429 V=2"
- Simple request to FreeRADIUS server without setting authentication method:
Eventually, the provided examples of output of radtest tool show that user with forbidden access to network still has access to network if requests to FreeRADIUS server are not encrypted.
For example, OpenConnnect VPN server does not encrypt requests to RADIUS server and this means that any user, which account exists on UCS server, can connect to infrastructure.
I am worried right now because of that, since this looks like a vulnerability for me.
Could you please explain to me whether the aforementioned behavior is normal and planned or not?
Is there a chance that something is wrong with parameters in Univention Configuration Registry?
Thanks in advance.