PacketFence
Bug Tracking System

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0001034PacketFenceradiuspublic2010-07-21 13:312012-08-14 09:15
Reporterobilodeau 
Assigned Toobilodeau 
PrioritylowSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version 
Target Version2.0.0Fixed in Version2.0.0 
Summary0001034: Our freeradius module is not aware of EAP's success or failure
DescriptionAny action we make in our radius module will be triggered over 802.1X no matter if EAP is successful or not. This means that an unauthenticated user can insert itself in locationlog, etc. even if he doesn't have the right credentials.

Not critical but let me give you an example where this is a problem:

Auto-registration of successfully authenticated devices. Since we can't tell if EAP was successful or not, we will always auto-register a device trying to do dot1x and in certain setup he could fall-back to MAB and be considered registered! That's bad!
TagsNo tags attached.
fixed in git revision
fixed in mtn revision9fc787813f9d6bed73a2b0fcb098227044076c9e
Attached Files

- Relationships
child of 0001002closedobilodeau Optional auto-registration of authenticated devices 

-  Notes
(0001631)
obilodeau (reporter)
2010-08-25 15:19

Reading freeradius' doc/aaa.txt I've come to realize that all our code is not in the correct section and that's why there are a lot of seemingly duplicated requests in some of our setups.

Anyway, I can't make progress without a dot1x enabled lab right now so here are some notes of my progress.

Try moving our code in post-auth {...} and see what happens with dot1x success and dot1 failures.

Try rlm_perl's post_auth() and dump all radius-related hashes:
- %RAD_CHECK Read-only Check items
- %RAD_REQUEST Read-only Attributes from the request
- %RAD_REPLY Read-write Attributes for the reply

Also, for reference: we could have a module for auth failure and a module for auth success and do different stuff based on that.
See http://freeradius.org/radiusd/doc/Post-Auth-Type [^]
(0001694)
obilodeau (reporter)
2010-09-24 18:17

Very good progress on this new request. Using post-auth I'm able to do exactly what's required. I'm even thinking of porting this into the 1.9 branch in our current radius module.
(0001697)
obilodeau (reporter)
2010-09-27 16:13

Change implemented in 1.9 on the SQL module and ported into trunk and the SOAP module.

- Issue History
Date Modified Username Field Change
2010-07-21 13:31 obilodeau New Issue
2010-07-21 13:31 obilodeau Status new => assigned
2010-07-21 13:31 obilodeau Assigned To => obilodeau
2010-07-21 13:36 obilodeau Relationship added child of 0001002
2010-08-25 15:19 obilodeau Note Added: 0001631
2010-09-24 18:17 obilodeau Note Added: 0001694
2010-09-27 16:13 obilodeau mtn revision => 9fc787813f9d6bed73a2b0fcb098227044076c9e
2010-09-27 16:13 obilodeau Note Added: 0001697
2010-09-27 16:13 obilodeau Status assigned => resolved
2010-09-27 16:13 obilodeau Fixed in Version => 1.9.2
2010-09-27 16:13 obilodeau Resolution open => fixed
2010-11-19 14:23 obilodeau Fixed in Version 1.9.2 => trunk
2010-11-19 14:25 obilodeau Target Version 1.10.0 => 2.0.0
2010-12-15 11:37 obilodeau Fixed in Version trunk => 2.0.0
2011-01-26 15:42 obilodeau Status resolved => closed
2012-08-14 09:15 obilodeau Category radius module => radius


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker