Hi Alan, Thank you for confirming. Apologies I can see the new policy being run, I just can't see anything having changed in the body of the debug. Kind regards, Connor On Tue, Sep 17, 2024 at 1:00 PM Alan DeKok <aland@deployingradius.com> wrote:
On Sep 17, 2024, at 6:45 AM, Connor Herring <connorrjherring@gmail.com> wrote:
Hopefully a quick one, I am on FreeRADIUS v3.2.1 so have implemented the recommended steps into my server to mitigate BlastRADIUS attacks (however unlikely) by adding the below into my default and inner-tunnel servers:
You don't need it in the inner-tunnel virtual server
Since I am using EAPTTLS/PAP, surely I am not susceptible to BlastRADIUS since the PAP traffic is within a TLS tunnel?
EAP isn't vulnerable. If you're only doing EAP, you're OK.
But it's still good practice to add Message-Authenticator to *all* Access-Accept / Reject / Challenge.
Furthermore after implementing the aforementioned change, nothing seems to have changed in the debug log. Should I see a difference between the debugs before implementing this change and after?
You should be able to see the new policy being run in debug mode.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html