BlastRADIUS

[Alan DeKok]

On Sep 17, 2024, at 6:45 AM, Connor Herring <connorrjherring at gmail.com> wrote:
> Hopefully a quick one, I am on FreeRADIUS v3.2.1 so have implemented the
> recommended steps into my server to mitigate BlastRADIUS attacks (however
> unlikely) by adding the below into my default and inner-tunnel servers:

  You don't need it in the inner-tunnel virtual server

> Since I am using EAPTTLS/PAP, surely I am not susceptible to BlastRADIUS
> since the PAP traffic is within a TLS tunnel?

  EAP isn't vulnerable.  If you're only doing EAP, you're OK.

  But it's still good practice to add Message-Authenticator to *all* Access-Accept / Reject / Challenge.

> Furthermore after implementing the aforementioned change, nothing seems to
> have changed in the debug log. Should I see a difference between the debugs
> before implementing this change and after?

  You should be able to see the new policy being run in debug mode.

  Alan DeKok.