日本語フォーラム

以下のアドバイザリーについて確認させてください。
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04662en_us&docLocale=en_US

ユーザー環境において以下の回避策が適用可能かどうか確認したく存じます。
=====
Workaround

Network Operators who rely on the RADIUS protocol for device and/or user authentication should update their software and configuration to a secure form of the protocol for both clients and servers. Where available, using EAP-TLS (assuming Message-Authenticator is properly configured on the RADIUS server) or RadSec will mitigate the vulnerability. This work around applies to all products.

In instances where product upgrades are not available,network isolation and secure VPN tunnel communications shouldbe enforced for the RADIUS protocol to restrict access to thesenetwork resources from untrusted sources.

For assistance in implementing EAP-TLS or RadSec on individual products contact HPE Services – Aruba Networking for assistance.Workaround

Network Operators who rely on the RADIUS protocol for device and/or user authentication should update their software and configuration to a secure form of the protocol for both clients and servers. Where available, using EAP-TLS (assuming Message-Authenticator is properly configured on the RADIUS server) or RadSec will mitigate the vulnerability. This work around applies to all products.

In instances where product upgrades are not available,network isolation and secure VPN tunnel communications shouldbe enforced for the RADIUS protocol to restrict access to thesenetwork resources from untrusted sources.

For assistance in implementing EAP-TLS or RadSec on individual products contact HPE Services – Aruba Networking for assistance.
=====

ユーザー環境ではL3認証のCaptive Portal認証が実装されております。
以下よりCaptive Portal認証にて指定できるプロトコルはPAP、CHAP、MS-CHAPv2となるかと存じます。
この場合、脆弱性の影響を受けるが回避策は適用できず、恒久対策のアップグレードのみが対処方法、
ということになりますでしょうか？

Configuring Captive Portal Authentication Profiles
https://www.arubanetworks.com/techdocs/ArubaOS_8.10.0_Web_Help/Content/arubaos-solutions/captive-portal/capt-port-auth-prof.htm

------------------------

Authentication Protocol
Select the PAP, CHAP or MS-CHAPv2 authentication protocol.
NOTE: Do not use the CHAP = option unless instructed to do so by anAruba representative.

------------------------

Status: Investigating
となっており、引き続き調査中のステータスと存じますので可能な範囲でご確認いただけますと幸いです。

お問い合わせありがとうございます。

RadSecでRADIUS通信を暗号化することで回避策になります。
RadSecが困難な場合はResolutionにあるバージョンにアップグレード頂き、RADIUS属性のMessage-Authenticator を有効にしてご利用ください。

以下のアドバイザリーについて確認させてください。
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04662en_us&docLocale=en_US

ユーザー環境において以下の回避策が適用可能かどうか確認したく存じます。
=====
Workaround

Network Operators who rely on the RADIUS protocol for device and/or user authentication should update their software and configuration to a secure form of the protocol for both clients and servers. Where available, using EAP-TLS (assuming Message-Authenticator is properly configured on the RADIUS server) or RadSec will mitigate the vulnerability. This work around applies to all products.

In instances where product upgrades are not available,network isolation and secure VPN tunnel communications shouldbe enforced for the RADIUS protocol to restrict access to thesenetwork resources from untrusted sources.

For assistance in implementing EAP-TLS or RadSec on individual products contact HPE Services – Aruba Networking for assistance.Workaround

Network Operators who rely on the RADIUS protocol for device and/or user authentication should update their software and configuration to a secure form of the protocol for both clients and servers. Where available, using EAP-TLS (assuming Message-Authenticator is properly configured on the RADIUS server) or RadSec will mitigate the vulnerability. This work around applies to all products.

In instances where product upgrades are not available,network isolation and secure VPN tunnel communications shouldbe enforced for the RADIUS protocol to restrict access to thesenetwork resources from untrusted sources.

For assistance in implementing EAP-TLS or RadSec on individual products contact HPE Services – Aruba Networking for assistance.
=====

ユーザー環境ではL3認証のCaptive Portal認証が実装されております。
以下よりCaptive Portal認証にて指定できるプロトコルはPAP、CHAP、MS-CHAPv2となるかと存じます。
この場合、脆弱性の影響を受けるが回避策は適用できず、恒久対策のアップグレードのみが対処方法、
ということになりますでしょうか？

Configuring Captive Portal Authentication Profiles
https://www.arubanetworks.com/techdocs/ArubaOS_8.10.0_Web_Help/Content/arubaos-solutions/captive-portal/capt-port-auth-prof.htm

------------------------

Authentication Protocol
Select the PAP, CHAP or MS-CHAPv2 authentication protocol.
NOTE: Do not use the CHAP = option unless instructed to do so by anAruba representative.

------------------------

Status: Investigating
となっており、引き続き調査中のステータスと存じますので可能な範囲でご確認いただけますと幸いです。