require_message_authenticator in FreeRadius not behaving as it should

Question

I'm recently testing freeradius 3.0.27 (release which has fix for blastradius vulnerability).

From Documentation - github

#  Global configuration for requiring Message-Authenticator in
#  all Access-* packets sent over UDP or TCP.  This flag is
#  ignored for TLS.
#
#  The number one way to protect yourself from the BlastRADIUS
#  attack is to update all RADIUS servers, and then set this
#  flag to "yes".  If all RADIUS servers are updated, and if
#  all of them have this flag set to "yes" for all clients,
#  then your network is safe.  You can then upgrade the
#  clients when it is convenient, instead of rushing the
#  upgrades.

As per the suggestion I tried making require_message_authenticator = yes and sent an auth request with radclient, which works as expected.

[root@hostname ~]# cat auth.txt
User-Name = "testuser"
User-Password = 'XXXXXXX'
NAS-IP-Address = "xxx.xxx.xxx.xxx"
Message-Authenticator = 0x00

[root@hostname ~]# radclient -4 -xx xxx.xxx.xxx.xxx auth 'radiussecret' < auth.txt
Sent Access-Request Id 234 from 0.0.0.0:64365 to xxx.xxx.xxx.xxx:1812 length 78
    User-Name = "testuser"
    User-Password = "XXXXXXX"
    NAS-IP-Address = xxx.xxx.xxx.xxx
    Message-Authenticator = 0x00
    Cleartext-Password = "XXXXXXX"
Received Access-Accept Id 234 from xxx.xxx.xxx.xxx:1812 to xxx.xxx.xxx.xxx:64365 length 119
    Message-Authenticator = 0xae26df4b307a7fda19f6707a808f42d0
    Reply-Message = "AAA provided by Radius"

However when I try to authenticate without Message-Authenticator attribute, I still get Access-Accept.

[root@hostname ~]# cat auth.txt
User-Name = "testuser"
User-Password = 'XXXXXXX'
NAS-IP-Address = "xxx.xxx.xxx.xxx"
[root@hostname ~]# radclient -4 -xx xxx.xxx.xxx.xxx auth 'radiussecret' < auth.txt
Sent Access-Request Id 131 from 0.0.0.0:61581 to xxx.xxx.xxx.xxx:1812 length 78
    User-Name = "testuser"
    User-Password = "XXXXXXX"
    NAS-IP-Address = xxx.xxx.xxx.xxx
    Cleartext-Password = "XXXXXXX"
Received Access-Accept Id 131 from xxx.xxx.xxx.xxx:1812 to xxx.xxx.xxx.xxx:61581 length 119
    Message-Authenticator = 0x9774e2e86df2dbc1c9149b564cad42a3
    Reply-Message = "AAA provided by Radius"

As per the documentation if require_message_authenticator = yes at security block in radiusd.conf file then the Authentication packets received without Message-Authenticator should be discarded as Access-Reject. But In my case I'm getting Access-Accept.

I also noticed another block in github

#    WARNING: This switch is done for the first packet
#    received from that client or home server.  The change
#    does NOT persist across server restarts.  You MUST change
#    the to "yes" manually, in order to make a permanent
#    change to the configuration.

As per this statement I have also restarted the radius service between both the requests, The behavior is still the same.

Need someone to clear up the confusion and guide the right way.

EDIT

Even If I'm not supplying Message-Authenticator I still see the debug log received with Message-Authenticator

[root@hostname ~]# cat auth.txt
User-Name = "testuser"
User-Password = 'XXXXXXX'
NAS-IP-Address = "xxx:xxx:xxx:xxx"
[root@hostname ~]# radclient -4 -xx xxx:xxx:xxx:xxx auth 'radiussecret' < auth.txt
Sent Access-Request Id 107 from 0.0.0.0:45126 to xxx:xxx:xxx:xxx:1812 length 78
    User-Name = "testuser"
    User-Password = "XXXXXXX"
    NAS-IP-Address = xxx:xxx:xxx:xxx
    Cleartext-Password = "XXXXXXX"
Received Access-Accept Id 107 from xxx:xxx:xxx:xxx:1812 to xxx:xxx:xxx:xxx:45126 length 119
    Message-Authenticator = 0x96ffc2cd0efb573f7afde1576e0e0df4
    Reply-Message = "AAA provided by Radius"

(0) Received Access-Request Id 107 from xxx.xxx.xxx.xxx:45126 to xxx.xxx.xxx.xxx:1812 length 78
(0)   Message-Authenticator = 0x83889fe4cb0a42b5d56c015f593270ae
(0)   User-Name = "testuser"
(0)   User-Password = "XXXXXXX"
(0)   NAS-IP-Address = xxx.xxx.xxx.xxx

require_message_authenticator in FreeRadius not behaving as it should

Answers (1)

Related Questions