RADIUS Require Message-Authenticator
Note
This article describes how to configure PhenixID Server to enforce RADIUS clients it communicates with to follow RFC 2869 section 5.1.4 and add Message-Authenticator to their RADIUS packets. PhenixID Server will always add Message-Authenticator but can be configured to enforce that incoming requests or responses also contain the attribute.
Overview
RADIUS authenticators can be configured with two parameters controlling whether the Message-Authenticator needs to be present in incoming RADIUS packets.
The first one, require_message_authenticator_on_request controls whether incoming requests (Access-Request) need to contain the attribute. Default is false.
The second one, require_message_authenticator_on_response controls whether incoming responses (Access-Accept, Access-Reject, etc) need to contain the attribute. Default is false.
The recommendation is for both these to be set to true to protect from the vulnerability CVE-2024-3596.
Where to configure
These two parameters are configured in the config object of RADIUS authenticators, and in valves that use radius. See separate valve configuration for details on the valves.
For the authenticators, an example configuration is as follows:
"RADIUS_AUTHENTICATORS" : [ {
"name" : "UsernamePasswordAuthenticator",
"config" : {
"uid_pwd_pipe" : "9eba4d51-0fa5-4d4d-96ef-38ac836b99ae",
"clientIP" : "1.1.1.1",
"ar_attributes" : "",
"resp_attributes" : "",
"vs_attributes" : "",
"secret" : "{enc}4d3r8wC4bkReLbydB9fHDOlXSnpiSivKFbSDo1IMnYg=",
"radius_config" : "3e4be286-985c-4f94-a6aa-79fee09a8c5f",
"require_message_authenticator_on_request": "true"
},
"created" : "2024-09-26T14:31:56.630Z",
"id" : "3d176591-7298-437c-ad63-b10428f66854"
} ],
Note that require_message_authenticator_on_request is only relevant for RADIUS authenticators, not valves.
Also, require_message_authenticator_on_response is only relevant for the valves, and the RADIUS authenticator RadiusForwardAuthenticator.