Actions
Regression #11534
openFreeRADIUS EAP anonymous connection forbidden out-of-tunnel
Status:
New
Priority:
High
Assignee:
-
Category:
FreeRADIUS
Target version:
-
Start date:
02/25/2021
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Affected Version:
2.4.x
Affected Plus Version:
Affected Architecture:
All
Description
With an LDAP backend but no SQL backend, the virtual server configuration ends up as follows:
if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) {
### sql DISABLED ###
if (true) {
redundant {
ldap
# this line adds ldap2 when activated
### ldap2 disabled ###
}
if (notfound || noop) {
reject
}
}
}
This makes EAP broken with out-of-tunnel authentication; specifically, running the icinga/nagios test as follows, fails:
$ rad_eap_test -H pfsense.host.example.com -P 1812 -m WPA-EAP -e TTLS -S shared-secret -u user -p password -s ssid -A anonymous
But it passes as follows
$ rad_eap_test -H pfsense.host.example.com -P 1812 -m WPA-EAP -e TTLS -S shared-secret -u user -p password -s ssid
So there's clearly a regression here, from about 0.15.7_26 (https://github.com/pfsense/FreeBSD-ports/commit/5ceedd725d87d564348f5aa4fa24e4f0a9d1dc21) .
Changing the virtual configuration to this fixes this temporarily though:
if (true) {
redundant {
ldap
# this line adds ldap2 when activated
### ldap2 disabled ###
}
}
Updated by Didier Raboud over 3 years ago
This is still affecting 2.5.2 and 2.6.0.
Actions