pam_radius and Blast RADIUS
Eric Lin
pirate585 at gmail.com
Fri Jul 12 07:42:43 UTC 2024
Hi Alan,
Thanks a lot and I know where to start now.
Regards,
Eric
On Thu, Jul 11, 2024 at 7:21 PM Alan DeKok <aland at deployingradius.com> wrote:
>
> On Jul 11, 2024, at 2:25 AM, Eric Lin <pirate585 at gmail.com> wrote:
> > We are using pam_radius for authentication.
> > on Both radius server and radius client *Ubuntu 22.04), after upgrade
> > to 3.2.5-1, I am seeing
> >
> > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> > BlastRADIUS check: Received packet without Message-Authenticator.
> > Setting "require_message_authenticator = false" for client
> > client_10.42.18.224_28
> > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> > UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK.
> > Once the client is upgraded, set "require_message_authenticator =
> > true" for client client_10.42.18.224_28
> > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> > BlastRADIUS check: Received packet without Proxy-State.
> > Setting "limit_proxy_state = true" for client client_10.42.18.224_28
>
> So set "limit_proxy_state = true", and the system will be protected. That's what the message is trying to tell you.
>
> > Should I take any action?
>
> Read the message and do what it says?
>
> We will be releasing a new version of the pam_radius module shortly. It will add fixes for the client.
>
> You will still continue to see the above messages (or some variant of them) until you follow the instructions in the message, and set the new configuration flags.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list