FreeRadius 中的 require_message_authenticator 行为不正常

问题描述 投票:0回答:1

我最近正在测试 freeradius 3.0.27(该版本针对 blastradius 漏洞进行了 修复)。

来自文档 - github

#  Global configuration for requiring Message-Authenticator in
#  all Access-* packets sent over UDP or TCP.  This flag is
#  ignored for TLS.
#
#  The number one way to protect yourself from the BlastRADIUS
#  attack is to update all RADIUS servers, and then set this
#  flag to "yes".  If all RADIUS servers are updated, and if
#  all of them have this flag set to "yes" for all clients,
#  then your network is safe.  You can then upgrade the
#  clients when it is convenient, instead of rushing the
#  upgrades.

根据建议,我尝试制作 

require_message_authenticator = yes
并使用 radclient 发送了身份验证请求,其按预期工作。

[root@hostname ~]# cat auth.txt
User-Name = "testuser"
User-Password = 'XXXXXXX'
NAS-IP-Address = "xxx.xxx.xxx.xxx"
Message-Authenticator = 0x00

[root@hostname ~]# radclient -4 -xx xxx.xxx.xxx.xxx auth 'radiussecret' < auth.txt
Sent Access-Request Id 234 from 0.0.0.0:64365 to xxx.xxx.xxx.xxx:1812 length 78
    User-Name = "testuser"
    User-Password = "XXXXXXX"
    NAS-IP-Address = xxx.xxx.xxx.xxx
    Message-Authenticator = 0x00
    Cleartext-Password = "XXXXXXX"
Received Access-Accept Id 234 from xxx.xxx.xxx.xxx:1812 to xxx.xxx.xxx.xxx:64365 length 119
    Message-Authenticator = 0xae26df4b307a7fda19f6707a808f42d0
    Reply-Message = "AAA provided by Radius"

但是,当我尝试在没有 

Message-Authenticator
属性的情况下进行身份验证时,我仍然得到 
Access-Accept

[root@hostname ~]# cat auth.txt
User-Name = "testuser"
User-Password = 'XXXXXXX'
NAS-IP-Address = "xxx.xxx.xxx.xxx"
[root@hostname ~]# radclient -4 -xx xxx.xxx.xxx.xxx auth 'radiussecret' < auth.txt
Sent Access-Request Id 131 from 0.0.0.0:61581 to xxx.xxx.xxx.xxx:1812 length 78
    User-Name = "testuser"
    User-Password = "XXXXXXX"
    NAS-IP-Address = xxx.xxx.xxx.xxx
    Cleartext-Password = "XXXXXXX"
Received Access-Accept Id 131 from xxx.xxx.xxx.xxx:1812 to xxx.xxx.xxx.xxx:61581 length 119
    Message-Authenticator = 0x9774e2e86df2dbc1c9149b564cad42a3
    Reply-Message = "AAA provided by Radius"

根据文档,如果 

require_message_authenticator = yes
处的 
security
块位于 
radiusd.conf
文件中,则收到的没有 
Message-Authenticator
的身份验证数据包应作为 
Access-Reject
被丢弃。但就我而言,我得到了
Access-Accept

我还注意到 github

中的另一个区块 
#    WARNING: This switch is done for the first packet
#    received from that client or home server.  The change
#    does NOT persist across server restarts.  You MUST change
#    the to "yes" manually, in order to make a permanent
#    change to the configuration.

根据此声明,我还重新启动了两个请求之间的 Radius 服务,行为仍然相同。

需要有人来澄清困惑并引导正确的道路。

freeradius radius message-authentication-code
1个回答
0
投票

您正在尝试通过查看客户端输出来调试服务器。 这不是正确的方法。 所有文档都说要在调试模式下运行服务器,然后读取输出。

在这种情况下,radclient 添加了blastradius 缓解措施。 即它总是在访问请求数据包中发送消息验证器,即使输入文件没有明确包含消息验证器。

在调试模式下运行服务器,并读取输出。 您将看到它正在接收包含消息验证器的访问请求。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.