The TLS session cache in FreeRADIUS fails to reliably prevent resumption of an unauthenticated session, which allows remote attackers (such as malicious 802.1X supplicants) to bypass authentication via PEAP or TTLS.
Created freeradius tracking bugs for this issue:
Affects: fedora-all [bug 1456698]
Disable TLS session caching in FreeRADIUS by setting "enable = no" in the cache subsection of EAP module settings, which are in /etc/raddb/mods-available/eap file.
Created attachment 1287974 [details]
Backported fix for FreeRADIUS 3.0.4
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2017:1581 https://access.redhat.com/errata/RHSA-2017:1581