On 2024-08-04, Mike <the.li...@mgm51.com> wrote: > > authentication method was not PAP > (radiusd_bsdauth(8) supports only PAP) > > OK, that's the likely problem. My WiFi access point is an old Linksys, > an LAPN600. When I go to the "Wireless Security" screen on the access > point, I see nothing to choose a protocol to use.
For WPA-Enterprise, wifi access points typically tunnel EAP authentication (coming from the *client*, not the AP) to the RADIUS server. As well as handling auth, the RADIUS server also generates keying material for the session. OpenBSD radiusd doesn't support EAP or this key material generation. (The EAP method used is as chosen between client and RADIUS server). > So, it seems I have to stick with freeradiusd (and OpenBSD's insecure > version of it) for the nonce. I presume you're talking about "BlastRADIUS". This affects PAP, CHAP, or MS-CHAP over RADIUS/UDP, not EAP, so a typical WPA-Enterprise config is unaffected. It also requires that an attacker can view and modify RADIUS packets in transit, clearly a big issue where somebody runs the protocol over open internet connections (though this is something that has never really been OK with RADIUS anyway), but much less of a problem where it's run on a private network. While it is a serious issue, it certainly doesn't affect all configurations, and I can't help feeling that it's slightly overblown - there was a lot of publicity from inkbridge (recently rebranded from "network radius") who I note sell verification tools, upgrade guide and Excel worksheet. Certainly useful in some situations but people should read to see if they're actually vulnerable. The version of FreeRADIUS with fixes requires an additional function from libssl that libressl doesn't support yet. It's been added but not exposed until we're ready for a library bump. Once that's done I have an update ready to go. It won't be committed to -stable due to the need for that libssl change and another change to libcrypto that already went in. See https://www.inkbridgenetworks.com/blastradius/faq and https://www.freeradius.org/security/ for more info and mitigations that can be done via config until the software is uodated. -- Please keep replies on the mailing list.
