www.zeroshell.org Forum Index www.zeroshell.org
Linux Distribution for server and embedded devices
 
 SearchSearch  RegisterRegister  UsergroupsUsergroups 
 ProfileProfile  Log inLog in  Log in to check your private messagesPrivate Message 

ZS does't stop Odyssey Client to connect using EAP-TLS

 
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell
View previous topic :: View next topic  
Author Message
Drakh



Joined: 19 Jun 2010
Posts: 3

PostPosted: Sat Jun 19, 2010 12:34 am    Post subject: ZS does't stop Odyssey Client to connect using EAP-TLS Reply with quote

I use EAP-TLS in Zeroshell to authenticate wireless clients to my network, sometimes I need to block access to some of them so I disable 802.1X Access in user properties and most wifi supplicants works as it should and cannot login until I enable 802.1X Access again... but If I use Odyssey Client Manager, it stills login even If I delete the user from Zeroshell, I tried every way to block it from inside Zeroshell with no luck, Odyssey still connects, the only way to stop it is to delele the certificate I install in the windows machine I use to login (I export and install a PKCS file I get from Zeroshell to install both the certificate and private key in my windows machine).

Is this a bug? shouldn't disabling 802.1X Access must prevent any attempt to successfully login to any supplicant?
Back to top
View user's profile Send private message
ppalias



Joined: 17 Dec 2008
Posts: 1151
Location: Athens, Greece

PostPosted: Sat Jun 19, 2010 10:16 am    Post subject: Reply with quote

Maybe Odyssey is using another way to connect on the ZS. EAP-TLS will use both server and clients keys to connect and is password-less if I remember well, so if you disable the certificates for that user he will not be allowed to connect, unless there is a backdoor.
Back to top
View user's profile Send private message Yahoo Messenger MSN Messenger
Drakh



Joined: 19 Jun 2010
Posts: 3

PostPosted: Sat Jun 19, 2010 1:29 pm    Post subject: Reply with quote

No. revoking certificate, deleting it, even deleting user inside zeroshell doesn't help, Odyssey still logins OK using EAP-TLS.

btw, I'm using WPA2-AES Enterprise in my access point and my Odyssey suplicant is ccnfigured to only login that way.

Here's what I get, remember TLS-User is deleted in Zeroshell

Login OK: [TLS-User] (from client D-Link port 0 cli 00-1D-92-XX-XX-XX)

I've reinstalled Zeroshell from scratch and used the default CA, created new user, installed certificate in my windows machine, Odyssey loginsOK, deleted user(hence certificate) in Zeroshell and Odyssey still logins OK.
Back to top
View user's profile Send private message
ppalias



Joined: 17 Dec 2008
Posts: 1151
Location: Athens, Greece

PostPosted: Sun Jun 20, 2010 10:15 am    Post subject: Reply with quote

What about doing the install from scratch and try to connect with Odyssey without creating the user? I suspect that either Odyssey logs in with another way, or there is a bug in the web interface that doesn't actually delete the users.
Back to top
View user's profile Send private message Yahoo Messenger MSN Messenger
Drakh



Joined: 19 Jun 2010
Posts: 3

PostPosted: Wed Jun 23, 2010 1:41 pm    Post subject: Reply with quote

Did what you suggested (with a fresh install where I only activated radius service and added Ap client to list, no, It doesn't stop it from entering, so Zeroshell doesn't filter clients correctly once a certificate generated from zeroshell is installed in a PC (tried revoking/deleting/recreating admin certificate and root CA certificate also / restarting radius service).

Yes, Odyssey is a pretty complex supplicant that has many features, one of them is skipping ZS security.
Back to top
View user's profile Send private message
ppalias



Joined: 17 Dec 2008
Posts: 1151
Location: Athens, Greece

PostPosted: Wed Jun 23, 2010 2:45 pm    Post subject: Reply with quote

Then all you can do it report the bug in the appropriate section in this forum.
Back to top
View user's profile Send private message Yahoo Messenger MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group