radiusd General question about "client upgrade"
-
This is the log under system - general:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Nov 15 10:43:17 radiusd 55914 Once the client is upgraded, set "require_message_authenticator = true" for client OpenVPN_Road_Warrior_access
Nov 15 10:43:17 radiusd 55914
UPGRADE THE CLIENT AS YOUR NETWORK MAY BE VULNERABLE TO THE BLASTRADIUS ATTACK.
Nov 15 10:43:17 radiusd 55914 The packet does not contain Message-Authenticator, which is a security issue.
Nov 15 10:43:17 radiusd 55914 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Nov 15 10:43:17 radiusd 55914 Setting "limit_proxy_state = true" for client OpenVPN_Road_Warrior_access
Nov 15 10:43:17 radiusd 55914 BlastRADIUS check: Received packet without Proxy-State.
Nov 15 10:43:17 radiusd 55914 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!If I open my freeradius - client - "openvpn radius authentication server there is a line to change - require message authenticator from no to yes
Can I assume with this line present that the client is upgraded and I only need to change from default no to yes.
-
You can set that to yes to mitigate the issue. However if you're only running radius between the Freeradius server on the firewall and the OpenVPN client, also on the firewall, that traffic never leaves so there is no issue.
Steve
-
I went and changed to yes and the logs seemed to clear up.
Thank you again.
