Description:
This article describes recommended actions for the security vulnerability in the RADIUS protocol [VU#456537].
Requirements:
- Any SSH client for accessing the console (e.g. PuTTY)
- Any web browser for accessing the web interface of the switches
General recommendation:
LANCOM Systems recommends using unencrypted RADIUS communication only in secure environments. Otherwise, RADIUS data traffic should always be encrypted (RADSEC).
Activation of the "Require-Message-Authenticator" option for the RADIUS client on the various operating systems:
The vulnerability can only be exploited if the "Message-Authenticator" is not set in the RADIUS packages. If the "Require-Message-Authenticator" option is activated, the "Message-Authenticator" must be present in all RADIUS packets (Access-Accept, Access- Reject and Access-Challenge). Packets without "Message Authenticator" are discarded.
If the RADIUS server does not support the "Message Authenticator", this means that authentication via the RADIUS server is not possible! It is therefore essential to ensure that the RADIUS server sets the message authenticator.
LCOS:
There are several functions in LCOS for which the message authenticator can be forced:
- Setup/WAN/RADIUS/Require-Msg-Authenticator
- Console command: set Setup/WAN/RADIUS/Require-Msg-Authenticator yes
- Setup/WAN/RADIUS/L2TP-Require-Msg-Authenticator
- Console command: set Setup/WAN/RADIUS/L2TP-Require-Msg-Authenticator yes
- Setup/VPN/IKEv2/RADIUS/Authorization/Server (Require-Msg-Authenticator)
- Console commandl: set Setup/VPN/IKEv2/RADIUS/Authorization/Server/<Name des RADIUS-Servers> {Require-Msg-Authenticator} yes
- Setup/Config/Radius/Server (Require-Msg-Authenticator)
- Console command: set Setup/Config/Radius/Server/<name des RADIUS-Servers> {Require-Msg-Authenticator} yes
- Setup/RADIUS/Server/Clients (Require-Msg-Authenticator)
- Console command: set Setup/RADIUS/Server/Clients/<IPv4-Adresse des RADIUS-Clients> {Require-Msg-Authenticator} yes
- Setup/RADIUS/Server/IPv6-Clients (Require-Msg-Authenticator)
- Console commandl: set Setup/RADIUS/Server/IPv6-Clients/<IPv6-Adresse des RADIUS-Clients> {Require-Msg-Authenticator} yes
- Setup/RADIUS/Server/Forward-Servers (Require-Msg-Authenticator)
- Console commandl: set Setup/RADIUS/Server/Forward-Servers/<Name des Realms>{Require-Msg-Authenticator} yes
Connect to the device via the console and enter the desired command as described above.
LCOS LX:
Connect to the access point via the console and enter the command to force the message authenticator in the following format:
set Setup/RADIUS/RADIUS-Server/ <Name des RADIUS-Servers> {Require-Message-Authenticator} yes
LCOS SX:
LCOS SX 3.34:
1. In the web interface, go to the menu Security → AAA → Configuration and set the Enforce Message Authenticator option to Enabled.
Die Option Enforce Message Authenticator wird global aktiviert.
2. Click Apply to accept the change
3. Go to the menu Maintenance → Save/Restore → Save Start and click on Save to save the configuration as the start configuration.
Die Start-Konfiguration bleibt auch nach einem Neustart des Gerätes oder einem Stromausfall erhalten.
LCOS SX 4.00:
1. In the web interface, go to the menu Security → RADIUS → Configuration and tick the checkbox next to Enforce Message Authenticator. Then click Apply to apply the change.
Die Option Enforce Message Authenticator wird global aktiviert.
2. Click on the red disc symbol in the top right-hand corner to save the configuration as the start configuration.
The start configuration is retained even after a restart of the device or a power failure
3. Confirm the saving process by clicking on OK.
LCOS SX 4.20 / 4.30:
1. In the web interface, go to the menu Security → RADIUS → Configuration and tick the checkbox next to Enforce Message Authenticator. Then click Apply to apply the change.
The Enforce Message Authenticator option is activated globally.
2.Click on the red disc symbol in the top right-hand corner to save the configuration as the start configuration.
The start configuration is retained even after a restart of the device or a power failure
3. Confirm the saving process by clicking on OK.
LCOS SX 5.20:
1. In the web interface, go to the menu Security → RADIUS → Named Server and click on Add to create an entry for an external RADIUS server.
If an entry already exists, you can select it and click on Edit to edit the entry.
2. Enter the parameters for the external RADIUS server and select the Enable option for Enforce Message Authenticator. Then click on Submit.
The Enforce Message Authenticator option must be activated separately for each RADIUS server.
3. Click Save Configuration in the top right-hand corner to save the configuration as a Start configuration is saved.
The start configuration is retained even after a restart of the device or a power failure.
Alternatively, you can save the current configuration as the start configuration via the console using the write memory command.
4. Confirm the saving process by clicking OK.
