[RADIATOR] move Message-Authenticator to the top ?
Heikki Vatiainen
hvn at open.com.au
Mon Sep 16 13:31:59 UTC 2024
On 16.9.2024 11.34, Patrik Forsberg wrote:
> So I was finally able to try this.. and it didn’t work out of the box..
> I had to add a “StripFromReply Message-Authenticator” too .. otherwise
> it added the Message-Authenticator anyway..
Yes, if you're e.g., proxying, then StripFromReply within AuthBy RADIUS
or CLient is needed in addition to the hook. The hook should be enough
when the reply is directly generated by Radiator.
> But yes it fixed the issue with the device I had problems with..
That's interesting. It's also a bit of a concern because it removes the
mitigation against Blast-RADIUS. Messsage-Authenticator has been around
for a long time and even if they don't require it, it would be good if
they would somehow recognise (or better verify) it, instead of of
discarding the reply.
If you can reply with information about the vendor, please let me know.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator Software, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software
More information about the radiator
mailing list