From the Aruba bulletin:
Workaround
==========
Network Operators who rely on the RADIUS protocol for device and/or
user authentication should update their software and configuration
to a secure form of the protocol for both clients and servers.
Where available, using EAP-TLS (assuming Message-Authenticator is
properly configured on the RADIUS server) or RadSec will mitigate the
vulnerability. This work around applies to all products.
In instances where product upgrades are not available,
network isolation and secure VPN tunnel communications should
be enforced for the RADIUS protocol to restrict access to these
network resources from untrusted sources.
RADIUS with the fix is still unencrypted and using weak cryptography. It has for years already been a (my) recommendation to run RADIUS only over trusted networks, where an attacker does not have access to. This attack requires a man-in-the-middle, which requires someone to be in the middle of the RADIUS traffic between network device and RADIUS server, which is a situation where I would not like to be in for the previously mentioned reasons.
I would work with your Aruba partner and/or local Aruba SE to discuss the situation and find the best way forward, where abandoning (cleartext) RADIUS may be one of the scenarios to explore.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Jul 29, 2024 02:41 AM
From: CHAO HSUAN HSIAO
Subject: about CVE-2024-3596
Hi All
ArubaOS 8 solution version estimated release on mid-September.
I think it's been too long, and the risk level is certical!
I see that workaround enable radsec, but I don't know this part very well
have any suggestions on how to handle this.
Thanks.