Bug 1254176
| Summary: | FreeRADIUS 2.2.6 miscalculates MPPE keys with TLS 1.2 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Jan Kurik <jkurik> |
| Component: | freeradius | Assignee: | Nikolai Kondrashov <nikolai.kondrashov> |
| Status: | CLOSED ERRATA | QA Contact: | Patrik Kis <pkis> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.8 | CC: | dpal, eduroam-uk-support, fabio.pedretti, jherrman, nick.lowe, nikolai.kondrashov, oss, paolo.barbato, pkis, salmy, striker, t.h.amundsen |
| Target Milestone: | rc | Keywords: | ZStream |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
Previously, when using the Extensible Authentication Protection (EAP) to authenticate clients that use the TLS 1.2 protocol, such as systems with iOS 9 or Windows 7, the connection with the authentication server could not be established and the operation thus failed. This update ensures that Microsoft Point-to-Point Encryption (MPPE) keys are calculated correctly when TLS 1.2 is used, which prevents the described problem from occurring.
|
Story Points: | --- |
| Clone Of: | 1248484 | Environment: | |
| Last Closed: | 2015-09-22 14:02:46 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1248484 | ||
| Bug Blocks: | |||
|
Description
Jan Kurik
2015-08-17 11:03:14 UTC
Suggest correcting the Doc Text to: Previously, when using Extensible Authentication Protection (EAP) to authenticate clients that use the TLS 1.2 protocol, such as systems with iOS 9, OS X El Capitan (OS X 11), wpa_supplicant 2.4 and, when configured, Windows 7 and later, a usable association to a WPA2-Enterprise/802.1X SSID could not be established and the connection thus failed. This update ensures that Microsoft Point-to-Point Encryption (MPPE) keys are calculated correctly when TLS 1.2 is used, which prevents the described problem from occurring. The Master Session Key (MSK) is derived from the MS-MPPE-Recv-Key (MasterReceiveKey) and MS-MPPE-Send-Key (MasterSendKey). The public release date for iOS 9 is likely to be in mid-September. Please can a patch for this be available by then? Nick, We prepared a fixed package and it's ready to be included in the next Z-Stream release. However, during testing we found that FreeRADIUS v2.x.x doesn't seem to work with EAP-TTLS/CHAP/MSCHAP/MSCHAPv2 when running with wpa_supplicant 2.4. That includes the latest v2.x.x release - v2.2.8. All the other relevant wpa_supplicant methods seem to work. We're not sure what's at fault here, at this moment - FreeRADIUS or WPA supplicant. Would this state of support be satisfactory, or do we need to pursue a solution for these apparently broken EAP types? Sorry, I've just seen this. Having seen your message in the FreeRADIUS mailing list and the subsequent replies, I understand that the fixes are here: https://github.com/FreeRADIUS/freeradius-server/commit/905aadc266c19e7fb6615f79280f67023a46ee4e https://github.com/FreeRADIUS/freeradius-server/commit/a79e943d49b3a9cad3c7bc2ff0fe618bc43192b5 Well found! :) Cheers, Nick Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-1829.html |