Description:

This article describes recommended actions for the security vulnerability in the RADIUS protocol [VU#456537]. 

Requirements:

  • Any SSH client for accessing the console (e.g. PuTTY)
  • Any web browser for accessing the web interface of the switches

General recommendation:

LANCOM Systems recommends using unencrypted RADIUS communication only in secure environments. Otherwise, RADIUS data traffic should always be encrypted (RADSEC).

Activation of the "Require-Message-Authenticator" option for the RADIUS client on the various operating systems:

The vulnerability can only be exploited if the "Message-Authenticator" is not set in the RADIUS packages. If the "Require-Message-Authenticator" option is activated, the "Message-Authenticator" must be present in all RADIUS packets (Access-Accept, Access- Reject and Access-Challenge). Packets without "Message Authenticator" are discarded.

If the RADIUS server does not support the "Message Authenticator", this means that authentication via the RADIUS server is not possible! It is therefore essential to ensure that the RADIUS server sets the message authenticator.

LCOS:

There are several functions in LCOS for which the message authenticator can be forced:

  • Setup/WAN/RADIUS/Require-Msg-Authenticator
    • Console command: set Setup/WAN/RADIUS/Require-Msg-Authenticator yes
  • Setup/WAN/RADIUS/L2TP-Require-Msg-Authenticator
    • Console command: set Setup/WAN/RADIUS/L2TP-Require-Msg-Authenticator yes
  • Setup/VPN/IKEv2/RADIUS/Authorization/Server (Require-Msg-Authenticator)
    • Console commandl: set Setup/VPN/IKEv2/RADIUS/Authorization/Server/<Name des RADIUS-Servers> {Require-Msg-Authenticator} yes
  • Setup/Config/Radius/Server (Require-Msg-Authenticator)
    • Console command: set Setup/Config/Radius/Server/<name des RADIUS-Servers> {Require-Msg-Authenticator} yes
  • Setup/RADIUS/Server/Clients (Require-Msg-Authenticator)
    • Console command: set Setup/RADIUS/Server/Clients/<IPv4-Adresse des RADIUS-Clients> {Require-Msg-Authenticator} yes
  • Setup/RADIUS/Server/IPv6-Clients (Require-Msg-Authenticator)
    • Console commandl: set Setup/RADIUS/Server/IPv6-Clients/<IPv6-Adresse des RADIUS-Clients> {Require-Msg-Authenticator} yes
  • Setup/RADIUS/Server/Forward-Servers (Require-Msg-Authenticator)
    • Console commandl: set Setup/RADIUS/Server/Forward-Servers/<Name des Realms>{Require-Msg-Authenticator} yes

Connect to the device via the console and enter the desired command as described above.

Image of a network configuration interface displaying settings for a RADIUS authorization server, including server hostname, port details, and message authentication requirements.



LCOS LX:

Connect to the access point via the console and enter the command to force the message authenticator in the following format:

set Setup/RADIUS/RADIUS-Server/ <Name des RADIUS-Servers> {Require-Message-Authenticator} yes

Screenshot of a configuration menu for setting up a RADIUS server with options for default account settings and required message authentication set to 'yes'.



LCOS SX:

LCOS SX 3.34:

1. In the web interface, go to the menu Security → AAA → Configuration and set the Enforce Message Authenticator option to Enabled.

Die Option Enforce Message Authenticator wird global aktiviert.

2. Click Apply to accept the change

Screenshot of a user interface showing the 'ApplyReset' button, possibly within a settings or configuration menu.

3. Go to the menu Maintenance → Save/Restore → Save Start and click on Save to save the configuration as the start configuration.

Die Start-Konfiguration bleibt auch nach einem Neustart des Gerätes oder einem Stromausfall erhalten.

Screenshot of a system configuration menu, featuring options to save settings, restart the device, manage firmware, and reset to factory defaults.


LCOS SX 4.00:

1. In the web interface, go to the menu Security → RADIUS → Configuration and tick the checkbox next to Enforce Message Authenticator. Then click Apply to apply the change.

Die Option Enforce Message Authenticator wird global aktiviert.

A detailed configuration menu for a network management system displaying options for RADIUS server settings, PoE management, VLAN, QoS, MAC address tables, security protocols, DHCP settings, and other networking parameters.

2. Click on the red disc symbol in the top right-hand corner to save the configuration as the start configuration.

The start configuration is retained even after a restart of the device or a power failure

A screenshot of the LANCOM AutoLogout F GSXP interface menu, likely showing settings or configuration options.

3. Confirm the saving process by clicking on OK.

Generischer Alt-Text für Bild


LCOS SX 4.20 / 4.30:

1. In the web interface, go to the menu Security → RADIUS → Configuration and tick the checkbox next to Enforce Message Authenticator. Then click Apply to apply the change.

The Enforce Message Authenticator option is activated globally.

Screenshot of a technical configuration interface displaying various network settings including RADIUS Server Configuration, VLAN Management, IP Source Guard, and Port Security.

2.Click on the red disc symbol in the top right-hand corner to save the configuration as the start configuration.

The start configuration is retained even after a restart of the device or a power failure

Image of a technical user interface displaying settings related to 'LANCOM eee Motors', 'Aare tominv', and 'GSP eMC'.

3. Confirm the saving process by clicking on OK.

Generischer Alt-Text für Bild


LCOS SX 5.20:

1. In the web interface, go to the menu Security → RADIUS → Named Server and click on Add to create an entry for an external RADIUS server.

If an entry already exists, you can select it and click on Edit to edit the entry.

An image of a complex technical configuration interface displaying various system settings including routing, security, QoS, stacking configuration, RADIUS server status, and networking statistics.

2. Enter the parameters for the external RADIUS server and select the Enable option for Enforce Message Authenticator. Then click on Submit.

The Enforce Message Authenticator option must be activated separately for each RADIUS server.

Screenshot of a RADIUS server configuration interface showing fields for IP address, server name, port number, secret, server type, message authenticator options, and authentication enforcement settings.

3. Click Save Configuration in the top right-hand corner to save the configuration as a Start configuration is saved.

The start configuration is retained even after a restart of the device or a power failure.

Alternatively, you can save the current configuration as the start configuration via the console using the write memory command.

A technical user interface menu displaying various network settings including Switching, Routing, Security, QoS, and Stacking options.

4. Confirm the saving process by clicking OK.

An image displaying a technical diagram with the letter 'x' highlighted or labeled.

More articles on this topic:

 

 

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2025 LANCOM Systems GmbH