Technical Note: Custom FortiGate IPS signature to block Interim Radius packets
Description
Scope
Solution
When using RSSO, the reception of an Interim Update Radius message will reset the “rsso-context-timeout” timeout timer for the user.
If the administrator would like to give a limited maximum time of connection, the Radius server should be configured to not send Interim Update message. Otherwise, the packet could be blocked by the FortiGate using a custom IPS signature.
If the administrator would like to give a limited maximum time of connection, the Radius server should be configured to not send Interim Update message. Otherwise, the packet could be blocked by the FortiGate using a custom IPS signature.
Scope
IPS signature applies to all versions. Syntax of how to apply it has been taken from FortiOS v5.2.
Solution
Checking a Radius Interim Update message from a FortiGate sniffer capture
Example of LOG message from the FortiGate.
Example of a packet capture on the FortiGate.
The Radius accounting type message is identified by "2806". The value attribute is "3" for an Update, "1" for a start message, and "2" for a stop message.
Configuration
The interim Update Accounting packet could be filtered on the FortiGate with an IPS signature.
1) Create the customer signature to block the Interim Update Radius message.
The rule is saved with ID 6461.
2) Attach the signature ID 6461 to an IPS sensor "Radius-test" and activate the LOGs.
3) Attach the IPS sensor "Radius-test" to the Firewall interface.
Troubleshooting
Example of LOG message from the FortiGate.
date=2016-08-19 time=08:37:29 logid=0102038666 type=event subtype=user level=notice vd="root" logdesc="RADIUS accounting event" carrier_ep="32348956215" srcip=10.20.0.164 rsso_key="N/A" msg="RADIUS accounting event" acct_stat=Interim-Update
Example of a packet capture on the FortiGate.
FG300B-7 # diag sniffer packet any "port 1813" 6 0 a
The Radius accounting type message is identified by "2806". The value attribute is "3" for an Update, "1" for a start message, and "2" for a stop message.
Configuration
The interim Update Accounting packet could be filtered on the FortiGate with an IPS signature.
1) Create the customer signature to block the Interim Update Radius message.
FG300B-7 # show full-configuration ips custom RADIUS-Acct-Update-Discard
config ips custom
edit "RADIUS-Acct-Update-Discard"
set signature "F-SBID( --attack_id 6461; --name \"RADIUS.Acct-Update.Discard\"; --protocol udp; --dst_port 1813; --pattern \"|28 06 00 00 00 03|\"; )"
set severity medium
unset location
unset os
unset application
set protocol RADIUS
set status enable
set log enable
set log-packet enable
set action block
set comment ''
next
end
The rule is saved with ID 6461.
2) Attach the signature ID 6461 to an IPS sensor "Radius-test" and activate the LOGs.
FG300B-7 # show ips sensor Radius-test
config ips sensor
edit "Radius-test"
config entries
edit 1
set rule 6461
set status enable
set log-packet enable
set log-attack-context enable
set action block
next
end
next
end
3) Attach the IPS sensor "Radius-test" to the Firewall interface.
FG300B-7 # show firewall interface-policy
config firewall interface-policy
edit 1
set logtraffic all
set interface "port3"
set srcaddr "Rad-srv"
set dstaddr "all"
set service "RADIUS"
set ips-sensor-status enable
set ips-sensor "Radius-test"
next
end
Troubleshooting
diag debug app ipsengine 255
FG300B-7 # L2 packet: vf:0 dev:12 view:1 policy:1 size:86
(xlr--1) log request 1
attack_id=6461 app=0 client=1 reversed=0 opaque=0x1
fds 6461
log ips 6461
(xlr--1) log request 2
handle a ring (count: 1)