2
VotesVulnerability: built-in radius using weak or compromised ciphers/hashes
Vulnerability: built-in radius using weak or compromised ciphers/hashes
- Issue #1: Built-in Omada Radius server uses EAP-MD5-Challenge by default. This method is compromised and deprecated, and declined by the client machine for that reason.
- Issue #2: Built-in Omada Radius server then switches to EAP-PEAP but resorts to the weakest cipher supported by the client for the outer tunnel (TLS_RSA_WITH_AES_128_CBC_SHA, which is consered weak: https://ciphersuite.info/cs/TLS_RSA_WITH_AES_128_CBC_SHA/).
- Issue #3: Built-in Omada Radius server still "secures" the inner tunnel with MD5, which again is a compromised method that leaves users vulnerable.
- Issue #4: TLS 1.3 doesn't seem to work to secure the outer tunnel.
Expected behaviours:
- Compromised ciphers should be disabled in the built-in Omada Radius server.
- The built-in Omada Radius server should pick the strongest common cipher.
- The built-in Omada Radius server should implement TLS 1.3 to secure the outer tunnel