BlastRADIUS
Connor Herring
connorrjherring at gmail.com
Tue Sep 17 10:45:50 UTC 2024
Hi All,
Hopefully a quick one, I am on FreeRADIUS v3.2.1 so have implemented the
recommended steps into my server to mitigate BlastRADIUS attacks (however
unlikely) by adding the below into my default and inner-tunnel servers:
authorize {
if (!EAP-Message) {
update reply {
Message-Authenticator := 0x00
}
}
...
Since I am using EAPTTLS/PAP, surely I am not susceptible to BlastRADIUS
since the PAP traffic is within a TLS tunnel? Or have I misunderstood? The
RADIUS also only communicates locally so not over the internet.
Furthermore after implementing the aforementioned change, nothing seems to
have changed in the debug log. Should I see a difference between the debugs
before implementing this change and after?
Kind regards,
Connor
More information about the Freeradius-Users
mailing list