|
RADIUS connection was successful in v7.4.3 or v7.2.9.
After upgrading it to v7.4.5 or v7.2.10, the RADIUS connection failed.
To fix this, enable the message-authenticator attribute on the third-party RADIUS server to include on its RADIUS messages.
This attribute is now mandatory starting on v7.2.10/v7.4.5 and upcoming v7.6.1.
Suggested solutions/firmware for 3rd party RADIUS servers:
- Windows Server: check the RADIUS Authentication for Windows NPS section below for more information.
- Linux FreeRADIUS: so far, Fortinet confirmed that these versions should be working: 3.0.26, 3.2.3, 3.2.5, 3.2.6.
- Cisco ISE: under the Allowed Protocol configurations, enable 'Require Message-Authenticator for all RADIUS Requests' (ref from the Cisco ISE: Blast-RADIUS (CVE-2024-3596) Protocol Spoofing Mitigation - Cisco).
- Duo: Duo has been made aware of the issue, however, based on the knowledge article published on the Duo site on September 17, 2024 (Are Duo applications impacted by the Blast-RADIUS vulnerability?), there has not been any indication that Duo may support for the enforcement of the Message-Authenticator attribute in the RADIUS communication.
Reach out to Duo for more information. If the production is impacted, while not recommended, consider downgrading the firmware to 7.2.9, 7.4.4, or 7.6.0.
If FortiAuthenticator is being used as the RADIUS server, upgrade FortiAuthenticator to 6.4.10, 6.5.6, 6.6.2, or 7.0.0. FortiAuthenticator 6.6.2 is currently released and the rest are expected to be released in Q4 2024.
FortiAuthenticator Upgrade path:
Technical Tip: FortiAuthenticator officially supported upgrade path
In the fnbamd debug, the following debug messages show that the server is responding without the Message-Authenticator attribute, meaning the FortiGate will reject the digest and fail to validate with the RADIUS server:
[1156] __rad_chk_resp_authenticator-No Message Authenticator
[1210] fnbamd_rad_validate_pkt-Invalid digest
[905] __rad_rxtx-Error validating radius rsp
[1028] __rad_error-Ret 5, st = 1.
RADIUS over TLS (RADSEC) is not affected as the message-authenticator attribute is not mandatory to be enabled on the RADIUS server. If using FortiAuthenticator as the RADIUS server, upgrade to v6.6.2 to fix it.
The behavior change is due to mitigating RADIUS Protocol CVE-2024-3596.
RADIUS Authentication for Windows NPS.
FortiGate has made the change in the RADIUS authentication method against Windows Servers, and more information can be found here: RADIUS vulnerability.
Now FortiGate will send the Message-Authenticator attribute along with the Access-Request packet to the RADIUS server, as can be seen in the below PCAP screenshot:
Solution:
Microsoft has already addressed this on their end by rolling out the KB5040268, this needs to be checked on Windows Server, and if there are any pending updates on the server, it needs to be installed. After that, check the connectivity: KB5040268: How to manage the Access-Request packets attack vulnerability associated with CVE-2024-35...
Also on the RADIUS-Client make sure this option is enabled:
Once everything is done, it can be seen that FortiGate can now authenticate user successfully:
Important Notes for v6.6.2 (as well as 6.4.10, 6.5.6 & 7.0.0 which are going to be released):
After upgrading the FortiAuthenticator to v6.6.2 or higher version, there is an option 'Require client to send Message-Authenticator attribute' (a new feature introduced in 6.6.2 to mitigate CVE-2024-3596) under the Radius client setting. This will require this Radius Client to send the Message-Authenticator attribute in the Authentication Request otherwise it will be rejected. See reference in:
Clients
Upgrade instructions
FortiOS versions from 7.2.10, 7.4.5, and 7.6.1 will send message-authenticator in Access-Request message to the Radius server. In the FortiOS version earlier than that, the 'Message-Authenticator attribute' for the RADIUS via TCP/UDP mode is not supported. So, enabling this option on the FortiAuthenticator can lead to the following error.
Note that on FortiOS 7.2.10, the GUI test (only) will fail because it does not send the Message-Authenticator AVP. See the known issues on FortiGate:
The version 7.4.5 is not affected by this.
An example packet of a GUI test (copied from a packet capture of RADIUS, which is missing the attribute:
RADIUS Protocol:
Code: Access-Request (1)
Packet identifier: 0x0 (0)
Length: 126
Authenticator: 4a9a7728c1e7793d876629b98767026c (this is NOT the message-authenticator!)
Attribute Value Pairs
AVP: t=NAS-Identifier(32) l=12 val=fgt.forti.lab
AVP: t=User-Name(1) l=12 val=testuser
AVP: t=Vendor-Specific(26) l=58 vnd=Microsoft(311)
AVP: t=Vendor-Specific(26) l=24 vnd=Microsoft(311)
An example packet where the attribute is included:
RADIUS Protocol:
Code: Access-Request (1)
Packet identifier: 0x1d (29)
Length: 204
Authenticator: 289e42a9b407e5741a3fae7d9bfafefe
Attribute Value Pairs
AVP: t=NAS-Identifier(32) l=12 val=fgt.forti.lab
AVP: t=User-Name(1) l=12 val=tstuser
AVP: t=Vendor-Specific(26) l=58 vnd=Microsoft(311)
AVP: t=Vendor-Specific(26) l=24 vnd=Microsoft(311)
AVP: t=Framed-IP-Address(8) l=6 val=0.0.0.0
AVP: t=NAS-IP-Address(4) l=6 val=10.48.48.1
AVP: t=NAS-Port-Type(61) l=6 val=Virtual(5)
AVP: t=Called-Station-Id(30) l=12 val=10.48.48.1
AVP: t=Acct-Session-Id(44) l=10 val=72f00f00
AVP: t=Connect-Info(77) l=6 val=test
AVP: t=Vendor-Specific(26) l=14 vnd=Fortinet, Inc.(12356)
AVP: t=Message-Authenticator(80) l=18 val=af4f4d4fc0ee64b1d87f2ff715f27e48
Type: 80
Length: 18
Message-Authenticator: af4f4d4fc0ee64b1d87f2ff715f27e48
In summary:
- FortiOS (v7.2.9, v7.4.4 and earlier) - FortiAuthenticator (v6.6.1 or earlier) - works (matched no check for message-authenticator).
- FortiOS (v7.2.9, v7.4.4 and earlier) - FortiAuthenticator (v6.6.2) - works (matched no check for message-authenticator by default).
- FortiOS (v7.2.10, v7.4.5) - FortiAuthenticator (v6.6.1 or earlier) - broken (mismatched).
- FortiOS (v7.2.10, v7.4.5) - FAC (v6.6.2) - works (matched).
|
