AP541N firmware 1.9.2 mac filtering bug ?

alain_richard · ‎09-01-2010

Hi,

I am currently deploying some AP541N and I just discovered what seams to be a security bug.

The AP541N version :

Product Identifier:	AP541N-E-K9
Hardware Version:	V01
Software Version:	AP541N-K9-1.9(2)

I have programmed a SSID with WPA Enterprise standard settings and Mac filtering using the radius server.

VAP

Enabled

VLAN ID

SSID

Broadcast SSID

Security

MAC Filtering

Station Isolation

HTTP Redirect

Redirect URL

Delete

0

Hide details

WPAVersions:	WPA	WPA2
	Enable pre-authentication
Cipher Suites:	TKIP	CCMP (AES)

Use global RADIUS server settings

RADIUS IP Address:
RADIUS IP Address-1:
RADIUS IP Address-2:
RADIUS IP Address-3:
RADIUS Key:
RADIUS Key-1:
RADIUS Key-2:
RADIUS Key-3:
Enable RADIUS accounting

Active Server:

Broadcast Key Refresh Rate (Range: 0-86400)

Session Key Refresh Rate (Range: 0-86400)

The radius server is a freeradius linux server globaly configured and the client is a Macbook pro, but the problem is independent of the client and radius server.

The bug is that although the MAC address of my client fails on the radius server, the client is accepted on the AP.

The log on the radius server show the failed MAC auth and succeed WPA2 auth :

Wed Sep 1 17:44:21 2010 : Auth: Login incorrect: [60-33-4B-04-AE-84/NOPASSWORD] (from client ap541n port 0 cli 60-33-4B-04-AE-84)

Wed Sep 1 17:44:22 2010 : Auth: Login OK: [arichard/<via Auth-Type = EAP>] (from client ap541n port 0 cli 60-33-4B-04-AE-84)

at the same time the AP shows a succeed :

Sep 1 17:44:22 192.168.240.136 hostapd: wlan0: IEEE 802.11 Assoc request from 60:33:4b:04:ae:84 BSSID 00:21:29:01:f9:90 SSID xxxx

Sep 1 17:44:22 192.168.240.136 hostapd: wlan0: IEEE 802.11 STA 60:33:4b:04:ae:84 associated with BSSID 00:21:29:01:f9:90

Sep 1 17:44:22 192.168.240.136 hostapd: wlan0: STA 60:33:4b:04:ae:84 IEEE 802.1X: EAP authentication with the authentication server completed

Sep 1 17:44:23 192.168.240.136 hostapd: wlan0: STA 60:33:4b:04:ae:84 WPA: pairwise key exchange completed (WPAv2)

Sep 1 17:44:23 192.168.240.136 hostapd: The wireless client with MAC address 60:33:4b:04:ae:84 has been successfully authenticated.

Sep 1 17:44:23 192.168.240.136 hostapd: wlan0: STA 60:33:4b:04:ae:84 IEEE 802.1X: authenticated - identity 'arichard' EAP type: 25 (PEAP)

and then the client is able to access to the network and the MAC address authentification with the radius server is never retried for this client (I suppose because the AP has white listed the MAC address).

This is a serious security bug !

It is present on an older firmware versions ?

Alain RICHARD

alain_richard · ‎09-01-2010

I have a partial solution. On the Wireless/Mac filtering page, the default setup is :

MAC Filtering

And surprise, altough this seams to be only for the Local list, the setup "Block all stations in list" will apply also for radius MAC checks !!!!

So setting this field to "Allow only stations in list" and then rebooting the AP have partially solve the problem :

A station MAC is checked with the radius server once, and then the station is blocked if the check was unsuccessfull and unblocked if the check was successfull.

But their is still a problem : after the initial radius check, the station is NEVER rechecked with the radius server, so the station is BLOCKED and is never ublocked, even if you add it to the radius server at a later time. The only solution I have found is to reboot the AP.

This is a very serious problem because generally stations are seen by the various AP before their MAC is entered into the radius server. And having to reboot all the AP of a site in order to get one station to be recognized is not an option !!!