Thanks for the reply and the freeradius update.
On 8/5/2024 8:21 AM, Stuart Henderson wrote: > On 2024-08-04, Mike <[email protected]> wrote: >> >> authentication method was not PAP >> (radiusd_bsdauth(8) supports only PAP) >> >> OK, that's the likely problem. My WiFi access point is an old Linksys, >> an LAPN600. When I go to the "Wireless Security" screen on the access >> point, I see nothing to choose a protocol to use. > > For WPA-Enterprise, wifi access points typically tunnel EAP > authentication (coming from the *client*, not the AP) to the RADIUS > server. As well as handling auth, the RADIUS server also generates > keying material for the session. OpenBSD radiusd doesn't support EAP or > this key material generation. (The EAP method used is as chosen between > client and RADIUS server). > >> So, it seems I have to stick with freeradiusd (and OpenBSD's insecure >> version of it) for the nonce. > > I presume you're talking about "BlastRADIUS". This affects PAP, CHAP, or > MS-CHAP over RADIUS/UDP, not EAP, so a typical WPA-Enterprise config > is unaffected. It also requires that an attacker can view and modify > RADIUS packets in transit, clearly a big issue where somebody runs > the protocol over open internet connections (though this is something > that has never really been OK with RADIUS anyway), but much less of > a problem where it's run on a private network. > > While it is a serious issue, it certainly doesn't affect all > configurations, and I can't help feeling that it's slightly overblown - > there was a lot of publicity from inkbridge (recently rebranded from > "network radius") who I note sell verification tools, upgrade guide and > Excel worksheet. Certainly useful in some situations but people should > read to see if they're actually vulnerable. > > The version of FreeRADIUS with fixes requires an additional function > from libssl that libressl doesn't support yet. It's been added but > not exposed until we're ready for a library bump. Once that's done > I have an update ready to go. It won't be committed to -stable due to > the need for that libssl change and another change to libcrypto that > already went in. > > See https://www.inkbridgenetworks.com/blastradius/faq and > https://www.freeradius.org/security/ for more info and mitigations that > can be done via config until the software is uodated. > > > >
