M and MSM Series
cancel
Showing results for 
Search instead for 
Did you mean: 

MSM765 active directory authentication security issue

 
Highlighted
Marcel Mossel
Occasional Contributor

MSM765 active directory authentication security issue

Our school has a MSM765zl controller. The firmware version is 5.7.0.3-11516. We have found a important security risk concerning the Active Directory authentication.

 Users are authenticated via Active Directory. Radius Is not configured. In Active Directory and on the msm765 we have defined several security groups with identical names that determine to which vsc/ssid an user has access. Each user is a member of only 1 group.

 

Cvo-nowifi         no wifi access, because the vsc is not available on any AP

Cvo-leerling       students

Cvo-mdw            employees

Cvo-gast              guests

Cvo-edu              managed laptops owned by the school

 

The default group is restricted to the nowifi vsc.

 

We have tested this with a Windows 7 laptop and it works fine. A user has access if he/she is a member of the corresponding AD group and access is denied if he/she is not a member.

However, when we connect from an smartphone (we tested with an Android Phone)  we find that one can connect to any vsc. The same issue exist on tablets, since student are able to login to the employee vsc.

 

Sofar we were not able to solve this issue so we are thinking of using an alternative solution with only a single vsc/ssid for all users and a dynamically assigned vlan based on group membership.

 

However, using more than one vsc/ssid has certain advantages:

-          One can differentiate between different groups with respect to the availability of the wireless network on specific locations;

-          It is possible to assign different priorities to different vsc’s;

-          Since each AP has two transmitters one may limit certain vsc’s to only one frequency band, ensuring a more reliable performance on the other band,

 

Off course I can use the remote access permission, but then I block access to all ssid’s.

 

Is there something we are doing wrong?

2 REPLIES 2
Highlighted
Marcel Mossel
Occasional Contributor

Re: MSM765 active directory authentication security issue

We solved part of the problem by upgrading the software on the msm765 from 5.7 to 6.0.1. After that most students are not connected anymore, showing an authentication failure in the log of the msm765.

 

However, a small number of students is still able to connect with non existing Active Directory accounts like "islam" and "christus". The msm765 shows a "RADIUS authentication OK" message. The students seem to use some sort of app on their smartphone that exploits a vulnerability in either the protocol or the implementation by HP. We are further investigating this. Other option we have is to use a wifi scanner to track down the students.  

 

Highlighted
Marcel Mossel
Occasional Contributor

Re: MSM765 active directory authentication security issue

We already solved this some time ago. We use laptops that authenticate the machine against Active Directory. These laptops are already connected with the wireless network before user logon. With a tool students copy a certain security key from the computer and import this onto their mobiel phone. Two solutions exist:

1 - Use machine certicates;

2 - Block users from reading the security key.