AP541N firmware 1.9.2 mac filtering bug ?

Unanswered Question

Hi,


I am currently deploying some AP541N and I just discovered what seams to be a security bug.


The AP541N version :



Product Identifier:AP541N-E-K9
Hardware Version:V01
Software Version:AP541N-K9-1.9(2)


I have programmed a SSID with WPA Enterprise standard settings and Mac filtering using the radius server.



VAPEnabledVLAN IDSSIDBroadcast SSIDSecurityMAC FilteringStation IsolationHTTP RedirectRedirect URLDelete
0                      None                                 Static WEP                                 Dynamic WEP                                 WPA Personal                                 WPA Enterprise                                          Disabled                                                              Local                                                                   RADIUS                                                                          Enabled                                 Disabled                                          Disable                                 Enable                   
Hide details
WPAVersions: WPAWPA2
Enable pre-authentication
Cipher Suites: TKIPCCMP (AES)
Use global RADIUS server settings
RADIUS IP Address:
RADIUS IP Address-1:
RADIUS IP Address-2:
RADIUS IP Address-3:
RADIUS Key:
RADIUS Key-1:
RADIUS Key-2:
RADIUS Key-3:
Enable RADIUS accounting
Active Server:         RADIUS IP Address        RADIUS IP Address-1         RADIUS IP Address-2         RADIUS IP Address-3     
Broadcast Key Refresh Rate (Range: 0-86400)
Session Key Refresh Rate (Range: 0-86400)


The radius server is a freeradius linux server globaly configured and the client is a Macbook pro, but the problem is independent of the client and radius server.


The bug is that although the MAC address of my client fails on the radius server, the client is accepted on the AP.


The log on the radius server show the failed MAC auth and succeed WPA2 auth :



Wed Sep  1 17:44:21 2010 : Auth: Login incorrect: [60-33-4B-04-AE-84/NOPASSWORD] (from client ap541n port 0 cli 60-33-4B-04-AE-84)

Wed Sep  1 17:44:22 2010 : Auth: Login OK: [arichard/<via Auth-Type = EAP>] (from client ap541n port 0 cli 60-33-4B-04-AE-84)

at the same time the AP shows a succeed :
Sep  1 17:44:22 192.168.240.136 hostapd: wlan0: IEEE 802.11 Assoc request from 60:33:4b:04:ae:84 BSSID 00:21:29:01:f9:90 SSID xxxx
Sep  1 17:44:22 192.168.240.136 hostapd: wlan0: IEEE 802.11 STA 60:33:4b:04:ae:84 associated with BSSID 00:21:29:01:f9:90
Sep  1 17:44:22 192.168.240.136 hostapd: wlan0: STA 60:33:4b:04:ae:84 IEEE 802.1X: EAP authentication with the authentication server completed
Sep  1 17:44:23 192.168.240.136 hostapd: wlan0: STA 60:33:4b:04:ae:84 WPA: pairwise key exchange completed (WPAv2)
Sep  1 17:44:23 192.168.240.136 hostapd: The wireless client with MAC address 60:33:4b:04:ae:84 has been successfully authenticated.
Sep  1 17:44:23 192.168.240.136 hostapd: wlan0: STA 60:33:4b:04:ae:84 IEEE 802.1X: authenticated - identity 'arichard' EAP type: 25 (PEAP)

and then the client is able to access to the network and the MAC address authentification with the radius server is never retried for this client (I suppose because the AP has white listed the MAC address).


This is a serious security bug !


It is present on an older firmware versions ?


Alain RICHARD

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

I have a partial solution. On the Wireless/Mac filtering page, the default setup is :



MAC Filtering
Filter Allow only stations in list
Block all stations in list
Stations List                               
MAC Address : : : : :

Click “Apply“ to save the new settings.
Apply


And surprise, altough this seams to be only for the Local list, the setup "Block all stations in list" will apply also for radius MAC checks !!!!


So setting this field to "Allow only stations in list" and then rebooting the AP have partially solve the problem :


A station MAC is checked with the radius server once, and then the station is blocked if the check was unsuccessfull and unblocked if the check was successfull.


But their is still a problem : after the initial radius check, the station is NEVER rechecked with the radius server, so the station is BLOCKED and is never ublocked, even if you add it to the radius server at a later time. The only solution I have found is to reboot the AP.


This is a very serious problem because generally stations are seen by the various AP before their MAC is entered into the radius server. And having to reboot all the AP of a site in order to get one station to be recognized is not an option !!!

Actions

This Discussion

Related Content