Captive Portal with AD - LDAP authenticates without a password !!,

olakara · Jan 8, 2019, 6:57 PM

I have pfsense 2.4.4._1 Captive portal with LDAP ( Windows 2008 AD Server ). AD server configured @ User Manager - Authentication server and it works fine while testing at Diagnostics - Authentication. Also I can authenticate Captive portal user without any issue. But the CP users can authenticate only entering the user name ! ( without entering a password ). How to fix the issue ?

regards,

free4 · Jan 8, 2019, 2:14 PM

@olakara said in Captive Portal Authentication with AD - LDAP authenticates only with user name ( without password ):

I have pfsense 2.4.4._1 Captive portal with LDAP ( Windows 2008 AD Server ). AD server configured @ User Manager - Authentication server and it works fine while testing at Diagnostics - Authentication. Also I can authenticate Captive portal user without any issue. But the CP users can authenticate only entering the user name ! ( without entering a password ). How to fix the issue ?

regards,

Create a custom captive portal login page.

Inside this custom page, include an hidden input :

<input type="hidden" name="auth_pass" value="" />

This should fix your issue

olakara · Jan 8, 2019, 2:15 PM

@free4

didnt work :(,

I'm using modified default login page with user, password and voucher code. unfortunately the page allows the user to authenticate with empty password ...

	  <form name="login_form" method="post" action="http://192.168.11.1:8002/index.php?zone=srmg">		<input type="text" name="auth_user" placeholder="User" id="auth_user">
		<input type="password" name="auth_pass" placeholder="Password" id="auth_pass">				<br  /><br  />
				<input name="auth_voucher" type="text" placeholder="Voucher Code">
				<input type="hidden" name="auth_pass" value="" />
		<input name="redirurl" type="hidden" value="http://detectportal.firefox.com/success.txt">
		<input type="submit" name="accept" class="login login-submit" value="Login" id="login" >
	  </form>

Gertjan · Jan 8, 2019, 2:22 PM

Check your 'html' code : you have now twice a reference to :

This one
<input type="hidden" name="auth_pass" value="" />
makes a hidden empty password.

You should remove the other one, just above.

olakara · Jan 8, 2019, 6:53 PM

@gertjan

seems my post was not clear to you. I need the CP users to authenticate with username + password. Now a user can login in 2 methods as follows:

username and blank password. ( this not acceptable )
username and password ( This is okay)
If i make the change as per your suggssion, the password field will disappear...

<input type="text" name="auth_user" placeholder="User" id="auth_user">
		<input type="hidden" name="auth_pass" value="" 				<br  /><br  />
				<input name="auth_voucher" type="text" placeholder="Voucher Code">

Gertjan · Jan 8, 2019, 9:21 PM

Ok, then I don't understand.

If you have a users like 12345678 and a password, then users can't login without password that belongs to that user.
Are you saying that "12345678" is enough to have access ?

Derelict · Jan 8, 2019, 9:47 PM

Duplicate the "log in with no password" behavior with the default login page.

olakara · Jan 9, 2019, 6:48 AM

@gertjan yes, 12345678 is enough to have access, or 12345678+ password... both will work..

olakara · Jan 9, 2019, 10:28 AM

@derelict

Jan 9 10:27:46 logportalauth 20913 Zone: wifitest - ACCEPT: olakara, 00:1f:f3:be:3c:xx, 192.168.11.102

jimp · Jan 9, 2019, 2:38 PM

I can't replicate the problem here. Set to check against LDAP, I get a login failure if I do not provide a password.

olakara · Jan 10, 2019, 8:46 AM

@jimp for me this works only with local database, LDAP still allow access without password

jimp · Jan 10, 2019, 1:43 PM

Then it must be your AD server returning a successful auth message. The LDAP client on pfSense is working properly as far as I can tell.

Run a packet capture of the LDAP exchange and run it through Wireshark, see what the AD server is returning to you.

Gertjan · Jan 10, 2019, 1:52 PM

@jimp said in Captive Portal with AD - LDAP authenticates without a password !!,:

see what the AD server

Probably set up as a " Yes-Ok-Proceed" server ...

Btw : AD Server log should tel you what happens.

vicentezago · Feb 1, 2019, 4:21 PM

Hello guys. All right?

Until I found a definitive solution, I made an adjustment in the /var/etc/captiveportal_wifi_myportal.html file to not continue if the password field is empty.

Before
<input type = "password" name = "auth_pass" placeholder = "Password" id = "auth_pass">

After
<input type = "password" name = "auth_pass" placeholder = "Password" id = "auth_pass" required>

That's it for now.

Thank you.

dimoz · Apr 10, 2019, 2:10 PM

Hi.
I have 3 firewall PfSense 2.4.4-RELEASE-p2 with a LDAP Authentication Servers (Windows Server 2008 R2 Forest) and i can confirm the same behavior reported by vicentezago.
Captive Portal accept authentication with a blank password (to be correct, the authentication is successful with the blank password only if the user is in the required AD Groups filtered by an extended query set in the ldap authentication server).
The strange things is that the "Authentication Tool" in Diagnostic Menu don't accept the blank password.

For now I have edited the CP page as vcentezago.

I found a post in the OPNSense Forum that say that the bug is resolved with the 741082208 patch. I post the link.

https://forum.opnsense.org/index.php?topic=4605.0

Is it possible to implement same patch in PfSense?

jimp · Apr 10, 2019, 2:17 PM

Their code just prevents attempting to login with a blank password. While OK, that seems like a bad workaround. If your LDAP server is allowing someone to login with a blank password, you should fix the server instead.

dimoz · Apr 10, 2019, 3:21 PM

Ok, but I don't understand where is the problem in my Windows server.
All users that I tested have a NOT blank password in Active Directory (Windows client PCs and the Authentication test in Diagnostic confirm this because return error if I try to authenticate with blank password ("Simple! It is the wrong password! :-))).
Why CP accept this username/password_blank pairing?

Thanks

jimp · Apr 10, 2019, 3:26 PM

CP is not deciding to pass it with a blank password. It passes the authentication request off to your AD server. CP is only accepting it because AD returns a response that says the authentication was successful.

You need to figure out why that is and change the server so it doesn't happen. Anonymous binds are one potential source of problems here, but it's definitely something on your AD server that needs fixed.

The problem is that even if CP or pfSense in general is patched to stop this, that does nothing to prevent other services that also authenticate against your AD structure from also performing the same kind of binds and succeeding without a password. The problem needs solved at the source, you can't patch away this kind of security problem.

dimoz · Nov 7, 2019, 2:01 PM

Thank You.
You give me a great hand to direct me in the right way.
I think that the problem is that the Base DN or the Search Base DN (I will try) are set as the rootDSE of the domain for which anonymous binds should be allowed by design.
Thank You very much

brinch · Nov 7, 2019, 2:01 PM

@dimoz
Hi dimoz
I have that exact same issue.
Did it fix something to change the search base OU?