Feature #15952
closed
User Auth RADIUS Client Secure Protocols
0%
Description
In response to Blast-RADIUS (CVE-2024-3596), we need more secure options for User Authentication via RADIUS. Ideally, we'd have support for EAP protocol types rather than the insecure MS-CHAP and even more insecure PAP. Or at the least, support for using the Message-Authenticator attribute in the packet.
We already have support for EAP protocol types in FreeRADIUS and for authenticating IPSec, so I'm not sure why it's not part of the User authentication RADIUS client too.
Files
| RADIUSPRTCL.png (47.8 KB) RADIUSPRTCL.png | List of currently available protocols for RADIUS authentication client |
Updated by Jim Pingle 8 months ago
- Status changed from New to Needs Patch
- Priority changed from High to Normal
We are limited by what is supported in the underlying upstream PHP RADIUS libraries, which lack such support. If an alternative presents itself, we can look into changing.
If communication with the RADIUS server only happens over secure, trusted links (e.g. VPN or secure network segments), such vulnerabilities are irrelevant.
Updated by Alex Kolesnik 4 days ago
Hi Jim. Looks like this radius client implementation supports the required attribute - https://codeberg.org/fkooman/php-radius