Jason, Since the RADIUS server terminates the EAP session, it will be vulnerable to the attack.
Philippe On Apr 15, 2014, at 3:16 PM, Jason Watts <[email protected]> wrote: > I'm not sure it's common that clients speak directly to a radius server. > Usually there is a NAS in between whether it be VPN concentrator, switch, > wireless controller/AP etc. If your clients reside on subnets that have no > visibility to the Radius server and NAS management subnets then you'd only > need to check your NAS devices for OpenSSL related vulnerabilities, no? > > -- > Jason Watts > Pratt Institute, Academic Computing > Senior Network Administrator > p. 718-399-4219 > f. 718-399-3416 > > Hanset, Philippe C wrote: >> All, >> >> We have been informing eduroam connected schools in the US that were >> vulnerable >> to heartbleed (about 10 schools were vulnerable out of 180 connected to >> eduroam-US, less than 5%). >> The eduroam federation did testing for all eduroam-connected campuses to >> evaluate the level of vulnerability and we have informed each RADIUS >> administrator >> independently. >> >> This said, ANY campus that operates a 802.1X network and uses a RADIUS >> server using OpenSSL could be potentially at risk since an attacker can >> access the RADIUS server via the local WPA/WAP2-enterprise network. >> It does require for the attacker to be physically on campus and join the >> SSID, but the risk still exists! >> >> Please analyze your systems for the vulnerability (look into the version of >> OpenSSL that you are running) >> and take the appropriate measures. >> >> Here are a few links about Heartbleed and RADIUS >> http://freeradius.org/security.html >> http://www.open.com.au/pipermail/radiator-announce/2014-April/000024.html >> https://confluence.terena.org/display/H2eduroam/heartbleed-note >> >> Thank you, >> >> Philippe >> >> Philippe Hanset >> www.eduroam.us >> >> ********** >> Participation and subscription information for this EDUCAUSE Constituent >> Group discussion list can be found at http://www.educause.edu/groups/. >> > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
