The "Limit D-PSK generation per user" feature is case sensitive, allowing more
than the actual limit
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2015 10:38 AM
We are testing the "Limit D-PSK generation per user to '#' devices" feature, and it appears that the username field is case sensitive. This means that "username" is counted as a different identify than "Username" or "USERname". I have the Limit D-PSK set to 3 devices max, and when testing this I was surprised that I was able to connect with more than 3 devices. When I looked on the Currently Active Clients I noticed that I had used different capitalization for some of the usernames. When I tried to create more than 3 using the same capitalization scheme, the system worked as expected and would not create an additional D-PSK.
The problem, however, is that an account named "username" can seemingly create an enormous number of D-PSKs, limited only by the number of different capitalization combinations for their username.
How can we prevent this? We are on a ZoneDirector 3100, running version 9.7.1.0 b.17.
The problem, however, is that an account named "username" can seemingly create an enormous number of D-PSKs, limited only by the number of different capitalization combinations for their username.
How can we prevent this? We are on a ZoneDirector 3100, running version 9.7.1.0 b.17.
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2015 10:51 AM
Ken,
I think this was recognised as an issue and resolved in a later release. I can't remember exactly which version but you should be able to find it in the release notes.
Hope that helps,
Andy.
I think this was recognised as an issue and resolved in a later release. I can't remember exactly which version but you should be able to find it in the release notes.
Hope that helps,
Andy.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2015 11:19 AM
Thanks, Andy! Great to hear that it has been resolved!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2015 04:12 PM
Hmm... unfortunately it appears that the issue has not been fixed as of release 9.8.3.0.14, which is the last version that we can install due to the fact that our ZF7962 APs are not supported beyond this. It is rather disconcerting that an issue like this has been left open for so long. It's been several years since D-PSK was rolled out, yet a firmware released July 2015 still has not patched this security gap.
I can only hope that none of our users discovers this bug and takes advantage of it. Or does anyone have a workaround fix for this issue?
I can only hope that none of our users discovers this bug and takes advantage of it. Or does anyone have a workaround fix for this issue?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-20-2015 10:10 AM
Looks like there is an unresolved feature request FR-978, and the underlying problem is that AD's
db is not case sensitive.
Ex: Test, test, tEst - are all treated the same on AD and the same user can download multiple DPSK's even though the 'Limit DPSK to 1 user' feature has been enabled.
I have an inquiry in to product marketing and development engineering, will let you know.
db is not case sensitive.
Ex: Test, test, tEst - are all treated the same on AD and the same user can download multiple DPSK's even though the 'Limit DPSK to 1 user' feature has been enabled.
I have an inquiry in to product marketing and development engineering, will let you know.
