Question after updating (Blast RADIUS)
Hi, I updated the packages and the configuration today (require_message_authenticator = auto limit_proxy_state = auto). Please note that we have hundreds of clients and I don't know if they are updated or not. I informed them to check with their vendors. But as recommended, I upgraded the FreeRADIUS servers first. After that I went through the logs and I see below: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
BlastRADIUS check: Received packet without Message-Authenticator. Setting "require_message_authenticator = false" for client <client name> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Thu Jul 11 14:06:23 2024 : Error: UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK. Thu Jul 11 14:06:23 2024 : Error: Once the client is upgraded, set "require_message_authenticator = true" for <client name>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Thu Jul 11 14:06:23 2024 : Error: Setting "limit_proxy_state = true" for client <client name> Thu Jul 11 14:06:23 2024 : Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Thu Jul 11 14:06:23 2024 : Error: The packet does not contain Message-Authenticator, which is a security issue. Thu Jul 11 14:06:23 2024 : Error: UPGRADE THE CLIENT AS YOUR NETWORK MAY BE VULNERABLE TO THE BLASTRADIUS ATTACK. Does that error mean, 1. The setting is set to false for that particular client and enabled for all other clients? 2. It is said that the change does not persist across server restarts. So what if the server restarts and the same client connects? Will it be set to false for that client again? 3. Even if we have the both (require_message_authenticator = auto and limit_proxy_state = auto) set in the radiusd.conf, the clients which are not upgraded will still be able to connect? I went through the documentation in radiusd.conf.rpmnew but I am still confused. Sorry. Thank you.
On Jul 11, 2024, at 9:12 AM, Burn Zero <burnzerog@gmail.com> wrote:
I updated the packages and the configuration today (require_message_authenticator = auto limit_proxy_state = auto). Please note that we have hundreds of clients and I don't know if they are updated or not. I informed them to check with their vendors. But as recommended, I upgraded the FreeRADIUS servers first.
It's also good to check what the clients are doing. The "auto" setting works for *most* clients, but there are cases where it does not work. The only way to tell is to check.
After that I went through the logs and I see below:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
BlastRADIUS check: Received packet without Message-Authenticator. Setting "require_message_authenticator = false" for client <client name> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Thu Jul 11 14:06:23 2024 : Error: UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK. Thu Jul 11 14:06:23 2024 : Error: Once the client is upgraded, set "require_message_authenticator = true" for <client name>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Thu Jul 11 14:06:23 2024 : Error: Setting "limit_proxy_state = true" for client <client name> Thu Jul 11 14:06:23 2024 : Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Thu Jul 11 14:06:23 2024 : Error: The packet does not contain Message-Authenticator, which is a security issue. Thu Jul 11 14:06:23 2024 : Error: UPGRADE THE CLIENT AS YOUR NETWORK MAY BE VULNERABLE TO THE BLASTRADIUS ATTACK.
Does that error mean, 1. The setting is set to false for that particular client and enabled for all other clients?
It's setting it to "false" for that client. It's still "auto" for other clients. The server will produce a message every time it changes the setting from "auto" to something else.
2. It is said that the change does not persist across server restarts. So what if the server restarts and the same client connects? Will it be set to false for that client again?
If the client sends the same packets, yes.
3. Even if we have the both (require_message_authenticator = auto and limit_proxy_state = auto) set in the radiusd.conf, the clients which are not upgraded will still be able to connect?
Yes. The entire goal of "auto" is that it won't break existing systems. Alan DeKok.
participants (2)
-
Alan DeKok -
Burn Zero