The HPE Aruba Networking ClearPass NAC solution versions 6.12.2 and 6.11.9 have introduced configuration options to require the inclusion of the Message-Authenticator attribute as the first RADIUS attribute. When enabled, ClearPass will reject any request or Dynamic Authorization transaction (such as Disconnect Message or Change of Authorization) that does not include the Message-Authenticator attribute as the first attribute.
The entire Blast RADIUS attack hinges upon sending RADIUS packets over UDP. It is possible, and recommended, to configure RADIUS to work over TCP with TLS encrypting the data in transit. When RADIUS works over TCP with TLS, this is known as RadSec. Using RadFSec mitigates the risk posed by this vulnerability by preventing the attacker from performing a machine-in-the-middle attack against the stateless UDP packets. If an attacker attempts to mount a machine-in-the-middle attack against a RadSec TCP stream, the connection will fail due to the cryptographic protections provided by TLS.
As another layer of defense, it is also important to isolate network management services onto their own “management VLAN” Access to this VLAN should be tightly controlled, and all authorization attempts should be logged to a central logging service.
Blast RADIUS targets cryptographic elements to create a hash collision that allows unauthorized access. This vulnerability underscores the critical need for heightened security measures, particularly for network management and authentication services. Enhanced security configurations within the HPE Aruba Networking ClearPass NAC solution mandate the Message-Authenticator attribute, which adds a layer of validation for all incoming requests.
Implementing RADIUS over TLS is a pivotal strategy for organizations, especially in high-risk or roaming environments. By wrapping RADIUS packets in TLS, organizations can mitigate attacks on MD5-based authentications, moving toward a modernized, certificate-based trust model. This approach, along with network segmentation practices like isolating management VLANs, provides a robust defense against such protocol-level attacks, reinforcing the security and integrity of network access control frameworks.
The main advantage of RADIUS over TLS is to provide a means to secure communication between peers using TLS.
The most important use of this specification lies in roaming environments where RADIUS packets need to be transferred through different administrative domains and untrusted, potentially hostile networks.
RADIUS over TLS wraps the entire RADIUS packet payload into a TLS stream and thus mitigates the risk of attacks on MD5.
The new features in RADIUS over TLS obsolete the use of IP addresses and shared MD5 secrets to identify other peers and thus allow the use of more contemporary trust models, e.g., checking a certificate by inspecting the issuer and other certificate properties.
Use network access control to protect against Blast RADIUS attacks
The “Blast RADIUS" attack represents a significant vulnerability within the RADIUS protocol, targeting its cryptographic elements to create a hash collision that allows unauthorized access. This vulnerability underscores the critical need for heightened security measures, particularly for network management and authentication services. With the enhanced security configurations in HPE Aruba Networking ClearPass NAC solution to mandate the Message-Authenticator attribute, you can add a layer of validation for all incoming requests that can help protect against this type of vulnerability.
In addition, implementing RADIUS over TLS is a pivotal strategy for organizations, especially in high-risk or roaming environments. By wrapping RADIUS packets in TLS, organizations can mitigate attacks on MD5-based authentications, moving toward a modernized, certificate-based trust model. This approach, along with network segmentation practices like isolating management VLANs, provides a robust defense against such protocol-level attacks, reinforcing the security and integrity of network access control frameworks.
Explore network access control in depth
Author Bios:
Adilson Gal is a CISSP and CC certified security professional with a focus on product security engineering. Since joining HPE Aruba Networking in 2022, he has been dedicated to strengthening the security of HPE Aruba Networking solutions.
Nicholas Starke – Nick is an experienced security researcher specializing in firmware security. He is passionate about low level reverse engineering and software development. He has been with Aruba since 2018 in his position as Threat Researcher.