Modify

Opened 5 years ago

Closed 5 years ago

Last modified 4 years ago

#12129 closed defect (fixed)

RADIUS caching

Reported by: jackc@… Owned by: developers
Priority: high Milestone: Chaos Calmer 15.05
Component: base system Version: 10.03.1
Keywords: Cc:

Description

There is a security problem with WPA2 Enterprise. Because caching of auth data is enabled in hostapd by default, it's possible to connect by radius-disabled-user and even use cached data from one virtual access point to other.

After disabling of user in radius, client disconnection and new connection, auth is perfermed only within AP/OpenWRT without radius server communication.

Problem is described in forum: https://forum.openwrt.org/viewtopic.php?id=19596

I found solution based on hardcoding hostapd configuration into /lib/wifi/mac80211.sh. After line with "ignore_broadcast_ssid=$hidden" i wrote:

disable_pmksa_caching=1
okc=0
rsn_preauth=0

All hostapd configuration options are commented here: http://hostap.epitest.fi/gitweb/gitweb.cgi?p=hostap.git;a=blob_plain;f=hostapd/hostapd.conf

My configuration is TP-Link 1043ND, latest stable Openwrt (but tested on latest night build too), PEAP on freeradius.

Attachments (0)

Change History (2)

comment:1 Changed 5 years ago by jow

  • Resolution set to fixed
  • Status changed from new to closed

Should be fixed with r33359 - caching defaults to off now and can be reanbled by setting "option auth_cache 1".

comment:2 Changed 4 years ago by jow

  • Milestone changed from Backfire 10.03.2 to Chaos Calmer (trunk)

Milestone Backfire 10.03.2 deleted

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.