Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

AP541N firmware 1.9.2 mac filtering bug ?

Hi,

I am currently deploying some AP541N and I just discovered what seams to be a security bug.

The AP541N version :

Product Identifier:AP541N-E-K9
Hardware Version:V01
Software Version:AP541N-K9-1.9(2)

I have programmed a SSID with WPA Enterprise standard settings and Mac filtering using the radius server.

VAPEnabledVLAN IDSSIDBroadcast SSIDSecurityMAC FilteringStation IsolationHTTP RedirectRedirect URLDelete
0
WPAVersions: WPAWPA2
Enable pre-authentication
Cipher Suites: TKIPCCMP (AES)
Use global RADIUS server settings
RADIUS IP Address:
RADIUS IP Address-1:
RADIUS IP Address-2:
RADIUS IP Address-3:
RADIUS Key:
RADIUS Key-1:
RADIUS Key-2:
RADIUS Key-3:
Enable RADIUS accounting
Active Server:
Broadcast Key Refresh Rate (Range: 0-86400)
Session Key Refresh Rate (Range: 0-86400)

The radius server is a freeradius linux server globaly configured and the client is a Macbook pro, but the problem is independent of the client and radius server.

The bug is that although the MAC address of my client fails on the radius server, the client is accepted on the AP.

The log on the radius server show the failed MAC auth and succeed WPA2 auth :

Wed Sep  1 17:44:21 2010 : Auth: Login incorrect: [60-33-4B-04-AE-84/NOPASSWORD] (from client ap541n port 0 cli 60-33-4B-04-AE-84)

Wed Sep  1 17:44:22 2010 : Auth: Login OK: [arichard/<via Auth-Type = EAP>] (from client ap541n port 0 cli 60-33-4B-04-AE-84)

at the same time the AP shows a succeed :
Sep  1 17:44:22 192.168.240.136 hostapd: wlan0: IEEE 802.11 Assoc request from 60:33:4b:04:ae:84 BSSID 00:21:29:01:f9:90 SSID xxxx
Sep  1 17:44:22 192.168.240.136 hostapd: wlan0: IEEE 802.11 STA 60:33:4b:04:ae:84 associated with BSSID 00:21:29:01:f9:90
Sep  1 17:44:22 192.168.240.136 hostapd: wlan0: STA 60:33:4b:04:ae:84 IEEE 802.1X: EAP authentication with the authentication server completed
Sep  1 17:44:23 192.168.240.136 hostapd: wlan0: STA 60:33:4b:04:ae:84 WPA: pairwise key exchange completed (WPAv2)
Sep  1 17:44:23 192.168.240.136 hostapd: The wireless client with MAC address 60:33:4b:04:ae:84 has been successfully authenticated.
Sep  1 17:44:23 192.168.240.136 hostapd: wlan0: STA 60:33:4b:04:ae:84 IEEE 802.1X: authenticated - identity 'arichard' EAP type: 25 (PEAP)

and then the client is able to access to the network and the MAC address authentification with the radius server is never retried for this client (I suppose because the AP has white listed the MAC address).

This is a serious security bug !

It is present on an older firmware versions ?

Alain RICHARD

Everyone's tags (4)
1 REPLY
New Member

Re: AP541N firmware 1.9.2 mac filtering bug ?

I have a partial solution. On the Wireless/Mac filtering page, the default setup is :

MAC Filtering
Filter Allow only stations in list
Block all stations in list
Stations List
MAC Address : : : : :

Click “Apply“ to save the new settings.
Apply

And surprise, altough this seams to be only for the Local list, the setup "Block all stations in list" will apply also for radius MAC checks !!!!

So setting this field to "Allow only stations in list" and then rebooting the AP have partially solve the problem :

A station MAC is checked with the radius server once, and then the station is blocked if the check was unsuccessfull and unblocked if the check was successfull.

But their is still a problem : after the initial radius check, the station is NEVER rechecked with the radius server, so the station is BLOCKED and is never ublocked, even if you add it to the radius server at a later time. The only solution I have found is to reboot the AP.

This is a very serious problem because generally stations are seen by the various AP before their MAC is entered into the radius server. And having to reboot all the AP of a site in order to get one station to be recognized is not an option !!!

1297
Views
0
Helpful
1
Replies