Question after updating (Blast RADIUS)

Burn Zero burnzerog at gmail.com
Thu Jul 11 13:12:02 UTC 2024


 Hi,

I updated the packages and the configuration today
(require_message_authenticator = auto
limit_proxy_state = auto). Please note that we have hundreds of clients and
I don't know if they are updated or not. I informed them to check with
their vendors. But as recommended, I upgraded the FreeRADIUS servers first.

After that I went through the logs and I see below:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> BlastRADIUS check: Received packet without Message-Authenticator.
> Setting "require_message_authenticator = false" for client <client name>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Thu Jul 11 14:06:23 2024 : Error: UPGRADE THE CLIENT AS YOUR NETWORK IS
VULNERABLE TO THE BLASTRADIUS ATTACK.
Thu Jul 11 14:06:23 2024 : Error: Once the client is upgraded, set
"require_message_authenticator = true" for <client name>
>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Thu Jul 11 14:06:23 2024 : Error: Setting "limit_proxy_state = true" for
client <client name>
Thu Jul 11 14:06:23 2024 : Error:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Thu Jul 11 14:06:23 2024 : Error: The packet does not contain
Message-Authenticator, which is a security issue.
Thu Jul 11 14:06:23 2024 : Error: UPGRADE THE CLIENT AS YOUR NETWORK MAY BE
VULNERABLE TO THE BLASTRADIUS ATTACK.

Does that error mean,
1. The setting is set to false for that particular client and enabled for
all other clients?
2.  It is said that the change does not persist across server restarts. So
what if the server restarts and the same client connects? Will it be set to
false for that client again?
3. Even if we have the both (require_message_authenticator = auto and
limit_proxy_state = auto) set in the radiusd.conf, the clients which are
not upgraded will still be able to connect?

I went through the documentation in radiusd.conf.rpmnew but I am still
confused. Sorry.

Thank you.


More information about the Freeradius-Users mailing list