[EXT] Blast RADIUS resources to protect your network

[Brian Julin]

Alan DeKok wrote:
> On Jul 10, 2024, at 3:55 PM, Brian Julin <BJulin at clarku.edu> wrote:
>> Just wanted to thank Alan.  We lucked out, our NAS units all seem to send a Message-Authenticator.
> If you can say, which vendor?

HPE/Aruba

ArubaOS-S (at least since WC.16.11.0007 and probably much earlier)
AurobaOS-CX (at least since FL.10.10.1090 and probably earlier)
ArubaOS (WiFi controllers) (at least since 8.10.0.12_89862 and probably earlier)

Observed all of the above sending Message-Authenticator during non-EAP (macauth) transactions.  Also have verified the WiFi controller's Message-Authenticaor actually works.  Will likely be turning on the requirement for the other OSes today, assuming overnight logs didn't turn up any cretinous old equipment on the network... but not expecting any issues there.

Note: we did not test radius-based admin auth, because we don't use it.  I never liked the idea of getting locked out of my network gear because a network problem was preventing communication to a centralized authentication server.  Call me old fashioned if you will.

Their ClearPass server of course is another matter and I have not been yet able to find a knob in there to require the attribute... if their FreeRADIUS version is even new enough to have it.  I know they hardened up CoA a while back but I think they still accept requests without Message-Authenticator.  Might be able to hack it by routing any requests with no Message-Authenticator to a service that dead-ends them, but for now, was already secured with network-level lockdowns.

I'm guessing they will be responsive after the media reception you all managed to drum up and release a patch to help mitigate.

Had to teach all my radclient/radtest-using scripts to send a Message-Authenticator but other than that this has been fairly easy to mitigate here.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html