FreeRadius Error - require_message_authenticator

Started by danderson, August 09, 2024, 05:02:08 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
August 09, 2024, 05:02:08 PM
My radius is still working with this AP, i dont see where to set this option in opnsense. Any ideas?

Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!   
Error: Please set "require_message_authenticator = true" for client AP1   
Error: It looks like the client has been updated to protect from the BlastRADIUS attack.   
Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!   
Error: Setting "require_message_authenticator = true" for client AP1   
Error: BlastRADIUS check: Received packet with Message-Authenticator.   
Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
October 16, 2024, 12:25:13 PM #1
I'm receiving the same error in freeradius. How can we set this option? Why are there are no advanced options in the opnsense freeradius package?
October 16, 2024, 12:29:58 PM #2
Because general development policy is not to offer free form text fields for advanced options but to integrate each necessary option individually. Pull requests welcome ;)

I'll probably look into it later today although I do not have a test environment - so your help in review of the patch would be needed.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 16, 2024, 12:40:13 PM #3
Sure, let me know how I can help. FWIW, this option is a dropdown box (not a free form text field) in the pfsense freeradius package.
October 16, 2024, 09:06:55 PM #4 Last Edit: October 17, 2024, 08:47:07 AM by Patrick M. Hausen
Do you know how to manually apply patches? Please evaluate these:

https://github.com/punktDeForks/opnsense-plugins/commit/56cc9312f184a60e8b0916cffc1e204f3dd225f3

Thanks!
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 17, 2024, 07:45:33 AM #5
I don't. Is there an official guide for manually applying patches that I can follow?
October 17, 2024, 08:14:34 AM #6 Last Edit: October 17, 2024, 08:39:32 AM by kevindd992002
Is this the correct command?

opnsense-patch -a punktDeForks -c plugins a1f6543

EDIT: Looks like it's downloading from the incorrect URL:

root@OPNsense:~ # opnsense-patch -a punktDeForks -c plugins a1f6543
fetch: https://github.com/punktDeForks/plugins/commit/a1f6543.patch: Not Found

How do I change the path to "opnsense-plugins" instead?
October 17, 2024, 08:53:55 AM #7 Last Edit: October 17, 2024, 09:01:57 AM by Patrick M. Hausen
Sorry, I don't know that one with the plugin repo for sure. The repo is used to build the plugins, I doubt you can live patch a running installation with opnsense-patch directly from it.

With "manual" I meant download the diffs and apply them locally. But to make this easier:

Code Select

cp /usr/local/opnsense/service/templates/OPNsense/Freeradius/clients.conf /usr/local/opnsense/service/templates/OPNsense/Freeradius/clients.conf.bak
fetch -o /usr/local/opnsense/service/templates/OPNsense/Freeradius/clients.conf https://raw.githubusercontent.com/punktDeForks/opnsense-plugins/56cc9312f184a60e8b0916cffc1e204f3dd225f3/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/clients.conf
cp /usr/local/opnsense/mvc/app/models/OPNsense/Freeradius/Client.xml /usr/local/opnsense/mvc/app/models/OPNsense/Freeradius/Client.xml.bak
fetch -o /usr/local/opnsense/mvc/app/models/OPNsense/Freeradius/Client.xml https://raw.githubusercontent.com/punktDeForks/opnsense-plugins/56cc9312f184a60e8b0916cffc1e204f3dd225f3/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Client.xml
cp /usr/local/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSClient.xml /usr/local/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSClient.xml.bak
fetch -o /usr/local/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSClient.xml https://raw.githubusercontent.com/punktDeForks/opnsense-plugins/56cc9312f184a60e8b0916cffc1e204f3dd225f3/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSClient.xml


@franco could you help, please? Can one apply this set of patches with opnsense-patch? If yes, how exactly?

https://github.com/punktDeForks/opnsense-plugins/commit/56cc9312f184a60e8b0916cffc1e204f3dd225f3
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 17, 2024, 09:22:20 AM #8
Ok, I just applied the patch manually and ticked the require message authenticator box for my AP clients. Let me monitor the freeradius logs and get back to you.
October 18, 2024, 09:11:38 AM #9
@kevindd992002 - so?  :)
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 18, 2024, 09:51:15 AM #10
Looks good. Although, I noticed that the opnsense firewall itself is not "upgraded" as a radius client:

Quote2024-10-18T15:31:25           Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!   
2024-10-18T15:31:25           Error: Once the client is upgraded, set "require_message_authenticator = true" for client OPNsense   
2024-10-18T15:31:25           Error: UPGRADE THE CLIENT AS YOUR NETWORK MAY BE VULNERABLE TO THE BLASTRADIUS ATTACK.   
2024-10-18T15:31:25           Error: The packet does not contain Message-Authenticator, which is a security issue.   
2024-10-18T15:31:25           Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!   
2024-10-18T15:31:25           Error: Setting "limit_proxy_state = true" for client OPNsense   
2024-10-18T15:31:25           Error: BlastRADIUS check: Received packet without Proxy-State.   
2024-10-18T15:31:25           Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!   
2024-10-18T15:31:25           Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!   
2024-10-18T15:31:25           Error: Once the client is upgraded, set "require_message_authenticator = true" for client OPNsense   
2024-10-18T15:31:25           Error: UPGRADE THE CLIENT AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK.   
2024-10-18T15:31:25           Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!   
2024-10-18T15:31:25           Error: Setting "require_message_authenticator = false" for client OPNsense   
2024-10-18T15:31:25           Error: BlastRADIUS check: Received packet without Message-Authenticator.
October 18, 2024, 09:52:08 AM #11
OK. I'll submit this change as a pull request and then look after OPNsense as a client.

Thanks for testing.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 18, 2024, 10:08:27 AM #12
Thanks for the help!

Sent from my SM-S916B using Tapatalk

October 18, 2024, 12:53:59 PM #13
No way I am implementing that myself - sorry. I opened a feature request instead.

https://github.com/opnsense/core/issues/7983
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 18, 2024, 09:28:30 PM #14
updated with your code Patrick and then enabled the option in the client section for my AP's, no more error/warning and devices can still connect correctly.

Thx for the fix/update.

Hopefully @Franco can merge it in the next release


Quote from: Patrick M. Hausen on October 17, 2024, 08:53:55 AM
Sorry, I don't know that one with the plugin repo for sure. The repo is used to build the plugins, I doubt you can live patch a running installation with opnsense-patch directly from it.

With "manual" I meant download the diffs and apply them locally. But to make this easier:

Code Select

cp /usr/local/opnsense/service/templates/OPNsense/Freeradius/clients.conf /usr/local/opnsense/service/templates/OPNsense/Freeradius/clients.conf.bak
fetch -o /usr/local/opnsense/service/templates/OPNsense/Freeradius/clients.conf https://raw.githubusercontent.com/punktDeForks/opnsense-plugins/56cc9312f184a60e8b0916cffc1e204f3dd225f3/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/clients.conf
cp /usr/local/opnsense/mvc/app/models/OPNsense/Freeradius/Client.xml /usr/local/opnsense/mvc/app/models/OPNsense/Freeradius/Client.xml.bak
fetch -o /usr/local/opnsense/mvc/app/models/OPNsense/Freeradius/Client.xml https://raw.githubusercontent.com/punktDeForks/opnsense-plugins/56cc9312f184a60e8b0916cffc1e204f3dd225f3/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Client.xml
cp /usr/local/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSClient.xml /usr/local/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSClient.xml.bak
fetch -o /usr/local/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSClient.xml https://raw.githubusercontent.com/punktDeForks/opnsense-plugins/56cc9312f184a60e8b0916cffc1e204f3dd225f3/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSClient.xml


@franco could you help, please? Can one apply this set of patches with opnsense-patch? If yes, how exactly?

https://github.com/punktDeForks/opnsense-plugins/commit/56cc9312f184a60e8b0916cffc1e204f3dd225f3
Print
Go Up Pages1 2
User actions