The RADIUS traffic is isolated, but nonetheless, our Security Teams sees a CVE 9.0 and tells us we need to make the change on clearpass, because our Insurance requires us to properly mitigate any security issues.
But if you say that the update to 8.12.0.2 will add the message-authenticator to all RADIUS requests, that is exactly the information i need, since i am already in the process of deploying that upgrade.
Original Message:
Sent: Aug 07, 2024 04:35 AM
From: Herman Robers
Subject: RADIUS Message-Authenticator
If you have separated your RADIUS traffic from networks that your users have access to, the vulnerabilities mentioned in Blast-RADIUS are not exploitable. These require a man-in-the-middle between your switches/APs and your RADIUS server. As RADIUS is mostly unencrypted, that would be recommended anyway, so if (malicious) users have the possibility to sit in between your switches/APs and your RADIUS server, you may have other things to worry about. Moving to RadSec, or VPN technology to protect your RADIUS traffic eliminates the risk of this vulnerability, and others (like unencrypted data). The reason for the high score on the vulnerability is because some users run RADIUS (unencrypted) over the internet.
As well, mentioned before, if you have any EAP method (EAP-TLS/TEAP/PEAP), there are Message Authenticators included already, so there is no risk. As you mentioned for PAP/MAC Auth, the risk is there, but only if you allow man-in-the-middle on your RADIUS traffic.
Having said that, in the bulletin posted on the Networking Support Portal, you can check which versions of software you need. With those versions, the Message Authenticators should be there.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Aug 07, 2024 02:54 AM
From: MPieper
Subject: RADIUS Message-Authenticator
My question boils down to: How do i check for the presence of the Message-Authenticator on the wireless controller?
We were able to perform a partial test yesterday and enabled the two service parameters on a test system. Administrative logons to a test controller worked without a hitch, but the clearpass change broke our wired switches in the test environment (a totally different topic handled by a different internal team), so we rolled back before i had time to also test wireless authentication.
At least it is good to have a confirmation that 802.1x is not affected, but we also do a lot of MAC-Auth via RADIUS, and i have not seen anything obvious that i would need to change in the MAC-Auth profiles.
My next internal test window will be at the end of the week, i will report back :D
Original Message:
Sent: Aug 06, 2024 02:56 PM
From: h2
Subject: RADIUS Message-Authenticator
The message-authenticator is a value that may (or may not) be present in RADIUS requests and responses. The presence of message-authenticators is required to protect against the BlastRADIUS weaknesses; with those new settings in ClearPass, any RADIUS packets that do not contain a message-authenticator will be dropped silently.
So in order to activate these settings, you have to make sure that all of your NADs (switches, controllers…) include message-authenticators in their requests, otherwise the activation will break your authentication.
For 802.1x, message-authenticators have always been mandatory, so PAP/CHAP/MAC-Auth requests have to be checked.
Original Message:
Sent: Aug 01, 2024 03:12 AM
From: MPieper
Subject: RADIUS Message-Authenticator
Yes, i looked into the other advisories as well. But since the fixed AOS 8.12.0.2 is not released yet, i'm not sure how they can apply.
And the only configuration that is described in that document is also just the Clearpass setting "Require Message-Authenticator from NAD = yes"
Original Message:
Sent: Jul 31, 2024 12:35 PM
From: chulcher
Subject: RADIUS Message-Authenticator
Have you looked at the security advisory on this same subject that was previously released and covers the network devices?
https://networkingsupport.hpe.com/notifications/Tm90aWZpY2F0aW9uOjE5ODEw;notificationCategory=Security
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Jul 31, 2024 08:07 AM
From: MPieper
Subject: RADIUS Message-Authenticator
Hi,
my question is in regards to the security advisory regarding the latest RADIUS vulnerability, HPESBNW04675 (I can't link it here for some reason)
We want to make the two recommended changed to Clearpass:
Require Message-Authenticator from NAD = yes
Require Message-Authenticator from Proxy Server = yes
I do not know what changes, if any, i would need to make on the wireless controller to not break RADIUS Authentication.
We use RADIUS for admin authentication, for 802.1x and for MAC Authentication.
We are running Controllers on Version 8.11, with a conductor, Clearpass is on 6.12.2