topic Re: MSM765 active directory authentication security issue in M and MSM Series

MSM765 active directory authentication security issue

Marcel Mossel — Fri, 13 Sep 2013 21:58:27 GMT

Our school has a MSM765zl controller. The firmware version is 5.7.0.3-11516. We have found a important security risk concerning the Active Directory authentication.

Users are authenticated via Active Directory. Radius Is not configured. In Active Directory and on the msm765 we have defined several security groups with identical names that determine to which vsc/ssid an user has access. Each user is a member of only 1 group.

Cvo-nowifi no wifi access, because the vsc is not available on any AP

Cvo-leerling students

Cvo-mdw employees

Cvo-gast guests

Cvo-edu managed laptops owned by the school

The default group is restricted to the nowifi vsc.

We have tested this with a Windows 7 laptop and it works fine. A user has access if he/she is a member of the corresponding AD group and access is denied if he/she is not a member.

However, when we connect from an smartphone (we tested with an Android Phone) we find that one can connect to any vsc. The same issue exist on tablets, since student are able to login to the employee vsc.

Sofar we were not able to solve this issue so we are thinking of using an alternative solution with only a single vsc/ssid for all users and a dynamically assigned vlan based on group membership.

However, using more than one vsc/ssid has certain advantages:

- One can differentiate between different groups with respect to the availability of the wireless network on specific locations;

- It is possible to assign different priorities to different vsc’s;

- Since each AP has two transmitters one may limit certain vsc’s to only one frequency band, ensuring a more reliable performance on the other band,

Off course I can use the remote access permission, but then I block access to all ssid’s.

Is there something we are doing wrong?

Re: MSM765 active directory authentication security issue

Marcel Mossel — Sun, 29 Sep 2013 08:54:55 GMT

We solved part of the problem by upgrading the software on the msm765 from 5.7 to 6.0.1. After that most students are not connected anymore, showing an authentication failure in the log of the msm765.

However, a small number of students is still able to connect with non existing Active Directory accounts like "islam" and "christus". The msm765 shows a "RADIUS authentication OK" message. The students seem to use some sort of app on their smartphone that exploits a vulnerability in either the protocol or the implementation by HP. We are further investigating this. Other option we have is to use a wifi scanner to track down the students.

Re: MSM765 active directory authentication security issue

Marcel Mossel — Sat, 08 Mar 2014 12:50:12 GMT

We already solved this some time ago. We use laptops that authenticate the machine against Active Directory. These laptops are already connected with the wireless network before user logon. With a tool students copy a certain security key from the computer and import this onto their mobiel phone. Two solutions exist:

1 - Use machine certicates;

2 - Block users from reading the security key.