On Sep 17, 2024, at 6:45 AM, Connor Herring <connorrjherring@gmail.com> wrote:
Hopefully a quick one, I am on FreeRADIUS v3.2.1 so have implemented the recommended steps into my server to mitigate BlastRADIUS attacks (however unlikely) by adding the below into my default and inner-tunnel servers:
You don't need it in the inner-tunnel virtual server
Since I am using EAPTTLS/PAP, surely I am not susceptible to BlastRADIUS since the PAP traffic is within a TLS tunnel?
EAP isn't vulnerable. If you're only doing EAP, you're OK. But it's still good practice to add Message-Authenticator to *all* Access-Accept / Reject / Challenge.
Furthermore after implementing the aforementioned change, nothing seems to have changed in the debug log. Should I see a difference between the debugs before implementing this change and after?
You should be able to see the new policy being run in debug mode. Alan DeKok.