Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[defect]: BlastRADIUS incorrect config hint is wrong #5484

Closed
KevP opened this issue Dec 29, 2024 · 0 comments
Closed

[defect]: BlastRADIUS incorrect config hint is wrong #5484

KevP opened this issue Dec 29, 2024 · 0 comments
Labels
defect category: a defect or misbehaviour

Comments

@KevP
Copy link

KevP commented Dec 29, 2024
edited
Loading

What type of defect/bug is this?

Unexpected behaviour (obvious or verified by project member)

How can the issue be reproduced?

Send a request with a Message-Authenticator field to FR via a client config with no require_message_authenticator setting configured. Seen in v3.2.6

Log output from the FreeRADIUS daemon

When no require_message_authenticator setting is configured on a client and the server receives a request packet with a Message-Authenticator value, the debug log prints this:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
BlastRADIUS check: Received packet without Proxy-State.
Setting "limit_proxy_state = true" for client wws1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
The packet contains Message-Authenticator.
The client has likely been upgraded to protect from the attack.
Please set "require_message_authenticator = true" for client wws1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

However, setting "require_message_authenticator = true" (or in my case for a dynamic client: &FreeRADIUS-Client-Require-MA = "true") results the config failing to load:

server dynamic_client_server { # from file /etc/freeradius/radiusd.conf
 # Loading authorize {...}
/etc/freeradius/radiusd.conf[107]: Unknown or invalid value "true" for attribute FreeRADIUS-Client-Require-MA
/etc/freeradius/radiusd.conf[101]: Failed to parse "update" subsection.
/etc/freeradius/radiusd.conf[99]: Errors parsing authorize section.

The correct setting is '= yes' rather than '= true'.

I'm not sure if limit_proxy_state has the same issue?

The example file/docs also states it should be "yes" or "no":

	#
	#  If these two flags are not set here, Then their values will
	#  be taken from the corresponding flags in the main
	#  security{...} section.
	#
	#  The resulting values will be used as the defaults for any
	#  dynamic client which is being defined.  The
	#  "FreeRADIUS-Client-Require-MA" attribute (see below) can be
	#  used to further over-ride this flag.
	#
	#  Note that it is NOT possible to set
	#
	#	&FreeRADIUS-Client-Require-MA = auto
	#
	#  The value MUST be either "yes" or "no".
	#  
	#  Note that is is NOT possible to change the value of
	#  "limit_proxy_state" dynamically via an attribute.
	#
	#
#	require_message_authenticator = yes
#	limit_proxy_state = yes

Relevant log output from client utilities

No response

Backtrace from LLDB or GDB

No response
@KevP KevP added the defect category: a defect or misbehaviour label Dec 29, 2024
alandekok added a commit that referenced this issue Dec 29, 2024
@alandekok
add more aliases. Fixes #5484
edeb185
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
defect category: a defect or misbehaviour
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alandekok @KevP