FreeRadius BlastRADIUS Warning in System Logs - How To Mitigate?

tman222

Hi all,

I see that that the FreeRadius package was updated to 3.2.6 with pfSense Plus 24.11. In my case, FreeRadius is used to allow users to authenticate (connect) to OpenVPN using OTP (Google Authenticator). I noticed the following warning now showing up in the system logs every time someone authenticates and connects to OpenVPN:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Once the client is upgraded, set "require_message_authenticator = true" for client pfsenseclient
UPGRADE THE CLIENT AS YOUR NETWORK MAY BE VULNERABLE TO THE BLASTRADIUS ATTACK.
The packet does not contain Message-Authenticator, which is a security issue.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Setting "limit_proxy_state = true" for client pfsenseclient
BlastRADIUS check: Received packet without Proxy-State.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

If I simply set Require Message Authenticator to Yes in the Free/Radius NAS/Clients section, users can no longer connect to OpenVPN. I believe this is because there is no Message-Authenticator attribute being sent along with the Access-Request so the traffic is just dropped by FreeRadius.

How do I mitigate / handle this warning message? I looked at the FreeRadius website and reviewed their posting on BlastRADIUS where they provided some suggestions:

https://www.freeradius.org/security/

If the FreeRadius package is up to date, the main recommendation was to add the following under the security section in radiusd.conf:

require_message_authenticator = auto
limit_proxy_state = auto

I tried this, but the warning message still occurs when users connect.

If one is using an older version of the Free Radius package, the other suggestion was to edit the virtual server config and add the following code snippet under authorize section:

	if (!EAP-Message) {
		update reply {
			Message-Authenticator := 0x00
		}

Would this (above) be worth trying? Does anyone have any other ideas on to mitigate this warning message / how to properly enable and support Message-Authenticator attribute when using OTP with FreeRadius?

Thanks in advance for the help, I really appreciate it.

tman222

Just wanted to follow up on this quick - does anyone have any thoughts or suggestions how to handle these BlastRADIUS warnings from FreeRadius and what the best mitigation would be? Thanks again for your help.

stephenw10

Normally I would say it doesn't really matter because the radius traffic is between the openvpn client and radius server and they are both on the pfSense box. The traffic never leaves it.

But here you are sending Google auth..... however that's actually LDAP and cert authenticated, ssl encrypted.

tman222

@stephenw10 said in FreeRadius BlastRADIUS Warning in System Logs - How To Mitigate?:

Normally I would say it doesn't really matter because the radius traffic is between the openvpn client and radius server and they are both on the pfSense box. The traffic never leaves it.

But here you are sending Google auth..... however that's actually LDAP and cert authenticated, ssl encrypted.

Hi @stephenw10 - thanks for the response. Ultimately, do you think this something to be concerned about when using e.g. Google Authenticator for OTP? If yes, how do you suggest it should be mitigated? Thanks again for all your help.

stephenw10

I don't believe so since the radius traffic never leaves the firewall.