Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

required message-authenticator for requests and access-challenge in privacyidea radius handling #66

Closed
mierswa opened this issue Jul 15, 2024 · 3 comments
Closed

required message-authenticator for requests and access-challenge in privacyidea radius handling #66

mierswa opened this issue Jul 15, 2024 · 3 comments

Comments

@mierswa
Copy link

mierswa commented Jul 15, 2024

Hello,

nowadays radius authentication has a vulnerability https://www.heise.de/en/news/Blast-RADIUS-Security-vulnerability-in-the-RADIUS-network-protocol-published-9797220.html

is there a chance to implement the message-authenticator ?
I think it must be implemented in this file:
https://github.com/privacyidea/FreeRADIUS/blob/master/privacyidea_radius.pm

The code has to handle message-authenticator like described in rfc 3579 https://datatracker.ietf.org/doc/html/rfc3579#section-3.2

cut out from rfc:

This attribute MAY be used to authenticate and integrity-protect
Access-Requests in order to prevent spoofing. It MAY be used in
any Access-Request. It MUST be used in any Access-Request,
Access-Accept, Access-Reject or Access-Challenge that includes an
EAP-Message attribute.

thanks for help.
@plettich
Copy link
Member

This will probably be fixed with #67
However it is interesting that we have to set the Message-Authenticator attribute in the plug-in instead of configuring it in the server.

@basvandervlies
Copy link
Contributor

You also have to require it on the server. If it is not sent the server will drop the package, eg:

#                                                                                                                                                                                                         
client cartesius {                                                                                                                                                                                        
    ipaddr = 10.0.0.1/24                                                                                                                                                                                                                                                                                                                                        
    require_message_authenticator = yes                                                                                                                                                                   
    nas_type = other                                                                                                                                                                                      
}

This is for the client check if it does not receive a packet with this information it will drop the connection, eg:

auth required pam_radius_auth.so skip_passwd retry=1 require_message_authenticator

@plettich
Copy link
Member

plettich commented Aug 1, 2024

Closed with #67

@plettich plettich closed this as completed Aug 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@basvandervlies @plettich @mierswa