Project

General

Profile

Actions

Regression #11534

open

FreeRADIUS EAP anonymous connection forbidden out-of-tunnel

Added by Didier Raboud about 3 years ago. Updated over 2 years ago.

Status:
New
Priority:
High
Assignee:
-
Category:
FreeRADIUS
Target version:
-
Start date:
02/25/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.4.x
Affected Plus Version:
Affected Architecture:
All

Description

With an LDAP backend but no SQL backend, the virtual server configuration ends up as follows:


       if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) {
                        ### sql DISABLED ###
       if (true) {

redundant {
        ldap
        # this line adds ldap2 when activated
        ### ldap2 disabled ###
}
                       if (notfound || noop) {
                           reject
                       }
                }
        }

This makes EAP broken with out-of-tunnel authentication; specifically, running the icinga/nagios test as follows, fails:

$ rad_eap_test -H pfsense.host.example.com -P 1812 -m WPA-EAP -e TTLS -S shared-secret -u user -p password -s ssid -A anonymous

But it passes as follows

$ rad_eap_test -H pfsense.host.example.com -P 1812 -m WPA-EAP -e TTLS -S shared-secret -u user -p password -s ssid

So there's clearly a regression here, from about 0.15.7_26 (https://github.com/pfsense/FreeBSD-ports/commit/5ceedd725d87d564348f5aa4fa24e4f0a9d1dc21) .

Changing the virtual configuration to this fixes this temporarily though:


       if (true) {

redundant {
        ldap
        # this line adds ldap2 when activated
        ### ldap2 disabled ###
}
        }

Actions #1

Updated by Jim Pingle about 3 years ago

  • Target version deleted (2.5.1)
Actions #2

Updated by Didier Raboud over 2 years ago

This is still affecting 2.5.2 and 2.6.0.

Actions

Also available in: Atom PDF