UCS Radius Problem

UCS - Univention Corporate Server
#1

Could you five advise please?

UCS Radius server allows access for users even if “Allow network access” option is disabled.

root@ucs:~# univention-radius-check-access --username=TestUser
     DEBUG: [user=TestUser; mac=None] Given username: "TestUser"
     DEBUG: [user=TestUser; mac=None] Given stationId: "None"
     DEBUG: [user=TestUser; mac=None] UCS@school RADIUS support is not installed
     DEBUG: [user=TestUser; mac=None] Checking LDAP settings for user
     DEBUG: [user=TestUser; mac=None] DENY 'uid=TestUser,cn=***,cn=users,dc=***,dc=***'
     DEBUG: [user=TestUser; mac=None] -> DENY 'cn=Domain Admins,cn=groups,dc=***,dc=***'
     DEBUG: [user=TestUser; mac=None] -> DENY 'cn=***,cn=***,cn=groups,dc=***,dc=***'
     DEBUG: [user=TestUser; mac=None] -> DENY 'cn=Domain Users,cn=groups,dc=***,dc=***'
      INFO: [user=TestUser; mac=None] Login attempt denied by LDAP settings
     DEBUG: [user=TestUser; mac=None] User is not allowed to authenticate via RADIUS
     DEBUG: [user=TestUser; mac=None] --- Thus access is DENIED.

root@ucs:~# radtest TestUser *** 127.0.0.1:1812 0 testing123
Sent Access-Request Id 203 from 0.0.0.0:59456 to 127.0.0.1:1812 length 85
	User-Name = "TestUser"
	User-Password = "***"
	NAS-IP-Address = 10.0.0.192
	NAS-Port = 0
	Message-Authenticator = 0x00
	Cleartext-Password = "***"
Received Access-Accept Id 203 from 127.0.0.1:1812 to 0.0.0.0:0 length 20

root@ucs:~# ucr search version/version version/patchlevel version/errata
version/erratalevel: 168
version/patchlevel: 0
version/version: 4.4

We would like to control access to the radius for our user groups, but unfortunately we can’t do this right now.

#2

This sounds quite a bit like what has already been reported here (please compare if I’m right or wrong):
which lead to an opened bug 49283

TL;DR: The “Allow network access” attribute works together with MSCHAP authentication as of 4.4.0. radtest uses PAP by default. The current issue as I see it, is that while PEAP-MSCHAP is OK for wireless networks, PAP is still used on many switches for wired 802.1x.

If you want to fully test a PEAP-MSCHAPv2 and other methods than with the builtin tool radtest or univention-radius-check-access, I suggest reading Alan Dekok’s page about the usage of eapol_test: http://deployingradius.com/scripts/eapol_test/

(Alan Dekok is the co-founder of the FreeRADIUS project and still one of its main developers to this day

#3

Hi msi,

thanks for the reply!

I will wait for fix.

Mastodon