Anonymous | Login | 2024-11-22 04:00 EST |
Main | My View | View Issues | Change Log | Roadmap |
View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||
ID | Project | Category | View Status | Date Submitted | Last Update | |||
0001034 | PacketFence | radius | public | 2010-07-21 13:31 | 2012-08-14 09:15 | |||
Reporter | obilodeau | |||||||
Assigned To | obilodeau | |||||||
Priority | low | Severity | major | Reproducibility | always | |||
Status | closed | Resolution | fixed | |||||
Platform | OS | OS Version | ||||||
Product Version | ||||||||
Target Version | 2.0.0 | Fixed in Version | 2.0.0 | |||||
Summary | 0001034: Our freeradius module is not aware of EAP's success or failure | |||||||
Description | Any action we make in our radius module will be triggered over 802.1X no matter if EAP is successful or not. This means that an unauthenticated user can insert itself in locationlog, etc. even if he doesn't have the right credentials. Not critical but let me give you an example where this is a problem: Auto-registration of successfully authenticated devices. Since we can't tell if EAP was successful or not, we will always auto-register a device trying to do dot1x and in certain setup he could fall-back to MAB and be considered registered! That's bad! | |||||||
Tags | No tags attached. | |||||||
fixed in git revision | ||||||||
fixed in mtn revision | 9fc787813f9d6bed73a2b0fcb098227044076c9e | |||||||
Attached Files | ||||||||
Notes | |
(0001631) obilodeau (reporter) 2010-08-25 15:19 |
Reading freeradius' doc/aaa.txt I've come to realize that all our code is not in the correct section and that's why there are a lot of seemingly duplicated requests in some of our setups. Anyway, I can't make progress without a dot1x enabled lab right now so here are some notes of my progress. Try moving our code in post-auth {...} and see what happens with dot1x success and dot1 failures. Try rlm_perl's post_auth() and dump all radius-related hashes: - %RAD_CHECK Read-only Check items - %RAD_REQUEST Read-only Attributes from the request - %RAD_REPLY Read-write Attributes for the reply Also, for reference: we could have a module for auth failure and a module for auth success and do different stuff based on that. See http://freeradius.org/radiusd/doc/Post-Auth-Type [^] |
(0001694) obilodeau (reporter) 2010-09-24 18:17 |
Very good progress on this new request. Using post-auth I'm able to do exactly what's required. I'm even thinking of porting this into the 1.9 branch in our current radius module. |
(0001697) obilodeau (reporter) 2010-09-27 16:13 |
Change implemented in 1.9 on the SQL module and ported into trunk and the SOAP module. |
Issue History | |||
Date Modified | Username | Field | Change |
2010-07-21 13:31 | obilodeau | New Issue | |
2010-07-21 13:31 | obilodeau | Status | new => assigned |
2010-07-21 13:31 | obilodeau | Assigned To | => obilodeau |
2010-07-21 13:36 | obilodeau | Relationship added | child of 0001002 |
2010-08-25 15:19 | obilodeau | Note Added: 0001631 | |
2010-09-24 18:17 | obilodeau | Note Added: 0001694 | |
2010-09-27 16:13 | obilodeau | mtn revision | => 9fc787813f9d6bed73a2b0fcb098227044076c9e |
2010-09-27 16:13 | obilodeau | Note Added: 0001697 | |
2010-09-27 16:13 | obilodeau | Status | assigned => resolved |
2010-09-27 16:13 | obilodeau | Fixed in Version | => 1.9.2 |
2010-09-27 16:13 | obilodeau | Resolution | open => fixed |
2010-11-19 14:23 | obilodeau | Fixed in Version | 1.9.2 => trunk |
2010-11-19 14:25 | obilodeau | Target Version | 1.10.0 => 2.0.0 |
2010-12-15 11:37 | obilodeau | Fixed in Version | trunk => 2.0.0 |
2011-01-26 15:42 | obilodeau | Status | resolved => closed |
2012-08-14 09:15 | obilodeau | Category | radius module => radius |
Copyright © 2000 - 2012 MantisBT Group |