Question after updating (Blast RADIUS)

Alan DeKok aland at deployingradius.com
Thu Jul 11 13:44:29 UTC 2024 

On Jul 11, 2024, at 9:12 AM, Burn Zero <burnzerog at gmail.com> wrote:
> I updated the packages and the configuration today
> (require_message_authenticator = auto
> limit_proxy_state = auto). Please note that we have hundreds of clients and
> I don't know if they are updated or not. I informed them to check with
> their vendors. But as recommended, I upgraded the FreeRADIUS servers first.

  It's also good to check what the clients are doing.  The "auto" setting works for *most* clients, but there are cases where it does not work.  The only way to tell is to check.

> After that I went through the logs and I see below:
> 
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>> BlastRADIUS check: Received packet without Message-Authenticator.
>> Setting "require_message_authenticator = false" for client <client name>
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> Thu Jul 11 14:06:23 2024 : Error: UPGRADE THE CLIENT AS YOUR NETWORK IS
> VULNERABLE TO THE BLASTRADIUS ATTACK.
> Thu Jul 11 14:06:23 2024 : Error: Once the client is upgraded, set
> "require_message_authenticator = true" for <client name>
>> 
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> Thu Jul 11 14:06:23 2024 : Error: Setting "limit_proxy_state = true" for
> client <client name>
> Thu Jul 11 14:06:23 2024 : Error:
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> Thu Jul 11 14:06:23 2024 : Error: The packet does not contain
> Message-Authenticator, which is a security issue.
> Thu Jul 11 14:06:23 2024 : Error: UPGRADE THE CLIENT AS YOUR NETWORK MAY BE
> VULNERABLE TO THE BLASTRADIUS ATTACK.
> 
> Does that error mean,
> 1. The setting is set to false for that particular client and enabled for
> all other clients?

  It's setting it to "false" for that client.  It's still "auto" for other clients.

 The server will produce a message every time it changes the setting from "auto" to something else.

> 2.  It is said that the change does not persist across server restarts. So
> what if the server restarts and the same client connects? Will it be set to
> false for that client again?

  If the client sends the same packets, yes.

> 3. Even if we have the both (require_message_authenticator = auto and
> limit_proxy_state = auto) set in the radiusd.conf, the clients which are
> not upgraded will still be able to connect?

  Yes.

  The entire goal of "auto" is that it won't break existing systems.

  Alan DeKok.

More information about the Freeradius-Users mailing list