Feature #15952
closed
PHP RADIUS client ``Message-Authenticator`` attribute capability
100%
Description
In response to Blast-RADIUS (CVE-2024-3596), we need more secure options for User Authentication via RADIUS. Ideally, we'd have support for EAP protocol types rather than the insecure MS-CHAP and even more insecure PAP. Or at the least, support for using the Message-Authenticator attribute in the packet.
We already have support for EAP protocol types in FreeRADIUS and for authenticating IPSec, so I'm not sure why it's not part of the User authentication RADIUS client too.
Files
| RADIUSPRTCL.png (47.8 KB) RADIUSPRTCL.png | List of currently available protocols for RADIUS authentication client | ||
| clipboard-202511121020-gmo8v.png (88.2 KB) clipboard-202511121020-gmo8v.png | |||
| clipboard-202512131136-oilga.png (8.31 KB) clipboard-202512131136-oilga.png |
Updated by Jim Pingle about 1 year ago
- Status changed from New to Needs Patch
- Priority changed from High to Normal
We are limited by what is supported in the underlying upstream PHP RADIUS libraries, which lack such support. If an alternative presents itself, we can look into changing.
If communication with the RADIUS server only happens over secure, trusted links (e.g. VPN or secure network segments), such vulnerabilities are irrelevant.
Updated by Alex Kolesnik 6 months ago
Hi Jim. Looks like this radius client implementation supports the required attribute - https://codeberg.org/fkooman/php-radius
Updated by Christian McDonald 4 months ago
- Status changed from Needs Patch to In Progress
- Assignee set to Christian McDonald
- Target version set to CE-Next
- Plus Target Version set to 25.11
Updated by Christian McDonald 4 months ago
- Status changed from In Progress to Feedback
Updated by Marcos M 4 months ago
- Subject changed from User Auth RADIUS Client Secure Protocols to Support Message-Authenticator in the PHP RADIUS client
- Target version changed from CE-Next to 2.9.0
- % Done changed from 0 to 100
Tested working; "Require Message Authenticator" can now be set to "Yes" in FreeRADIUS when using pfSense as a client.
Updated by Ansley Barnes 4 months ago
Is there a chance that this could be extended to the L2TP RADIUS authentication section?
Updated by Stefano Ceccherini 3 months ago
Does this mean pfSense always sends the Message-Authenticator attributes now, or am I getting it wrong ?
Authentication does not work against Microsoft NPS if I check the box "Access-Request must contain the Message-Authenticator attribute"
The event log says the request does not contain the attribute.
If I clear the box, everything works correctly.
Updated by Marcos M 3 months ago
- Plus Target Version changed from 25.11 to 26.03
My tests were from some Access Points and from Diagnostics > Authentication on pfSense 26.03. The Message-Authenticator attribute can be seen with a pcap. The change was picked to 25.11 but there must be something else missing there because I can't get it to work on 25.11.
Updated by Marcos M about 1 month ago
- Status changed from Resolved to Confirmed
- % Done changed from 100 to 0
It's no longer working on the latest 26.03 snapshot.
Updated by Christian McDonald about 1 month ago
- Status changed from Confirmed to In Progress
Updated by Christian McDonald about 1 month ago
We need to plumb support for this down through the Auth_RADIUS wrapper for the PHP Radius extension, and add a GUI knob to enable/disable this on the client side.
This is in progress.
Updated by Marcos M about 1 month ago
- Status changed from In Progress to Feedback
- % Done changed from 0 to 100
Applied in changeset commit:d87fac91ec73fbf9082043491061612634cca09d.
Updated by Jim Pingle 27 days ago
- Subject changed from Support Message-Authenticator in the PHP RADIUS client to Add ``Message-Authenticator`` attribute capability to the PHP RADIUS client
Updated by Jim Pingle 27 days ago
- Subject changed from Add ``Message-Authenticator`` attribute capability to the PHP RADIUS client to PHP RADIUS client ``Message-Authenticator`` attribute capability
Updated by Jim Pingle 15 days ago
- Status changed from Feedback to Resolved
This seems to be working as far as I can tell. Behavior follows the configuration in the GUI as expected. When it's set to omit, the attribute is not in the RADIUS request. When it's not set to omit, the attribute is included.