BlastRADIUS
Connor Herring
connorrjherring at gmail.com
Tue Sep 17 12:03:31 UTC 2024
Hi Alan,
Thank you for confirming. Apologies I can see the new policy being run, I
just can't see anything having changed in the body of the debug.
Kind regards,
Connor
On Tue, Sep 17, 2024 at 1:00 PM Alan DeKok <aland at deployingradius.com>
wrote:
> On Sep 17, 2024, at 6:45 AM, Connor Herring <connorrjherring at gmail.com>
> wrote:
> > Hopefully a quick one, I am on FreeRADIUS v3.2.1 so have implemented the
> > recommended steps into my server to mitigate BlastRADIUS attacks (however
> > unlikely) by adding the below into my default and inner-tunnel servers:
>
> You don't need it in the inner-tunnel virtual server
>
> > Since I am using EAPTTLS/PAP, surely I am not susceptible to BlastRADIUS
> > since the PAP traffic is within a TLS tunnel?
>
> EAP isn't vulnerable. If you're only doing EAP, you're OK.
>
> But it's still good practice to add Message-Authenticator to *all*
> Access-Accept / Reject / Challenge.
>
> > Furthermore after implementing the aforementioned change, nothing seems
> to
> > have changed in the debug log. Should I see a difference between the
> debugs
> > before implementing this change and after?
>
> You should be able to see the new policy being run in debug mode.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list