https://live.paloaltonetworks.com/t5/globalprotect-discussions/does-global-protect-radius-support-message-authentication-to/m-p/591511#M5545 <P>Does the Global Protect RADIUS implementation support Messaging Authentication?</P> <P>If not, how quickly will a hotfix to patch this vulnerable implementation of RADIUS be released?</P> <P>&nbsp;</P> <P>Background info:</P> <P>&nbsp;</P> <P>When configuring Global Protect we used RADIUS to integrate RSA Secure ID as a second factor to LDAP, to ensure it took more than just a password to log in, but now it turns out RADIUS was designed to use MD5 hash sums in a way that is inherently insecure as detailed here:&nbsp;&nbsp;<A href="https://www.blastradius.fail/pdf/radius.pdf" target="_blank">https://www.blastradius.fail/pdf/radius.pdf</A>&nbsp;</P> <P>&nbsp;</P> <P>RSA Secure ID released a patch which adds a new value to set in the RADIUS server config files (FreeRadius-Client-require-MA = yes), but the support documentation says the RADIUS client needs to support Messaging Authentication.&nbsp;<A href="https://community.securid.com/s/article/RSA-Announces-Critical-Security-Updates-for-RSA-ID-Plus-Components-RSA-Authentication-Manager-and-RSA-Identity-Router" target="_blank">https://community.securid.com/s/article/RSA-Announces-Critical-Security-Updates-for-RSA-ID-Plus-Components-RSA-Authentication-Manager-and-RSA-Identity-Router</A>&nbsp;</P> <P>&nbsp;</P> <P><LI-PRODUCT title="GlobalProtect" id="GlobalProtect"></LI-PRODUCT>&nbsp;<LI-PRODUCT title="Panorama" id="Panorama"></LI-PRODUCT>&nbsp;</P> Tue, 09 Jul 2024 22:24:30 GMT mmason 2024-07-09T22:24:30Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/does-global-protect-radius-support-message-authentication-to/m-p/591511#M5545 <P>Does the Global Protect RADIUS implementation support Messaging Authentication?</P> <P>If not, how quickly will a hotfix to patch this vulnerable implementation of RADIUS be released?</P> <P>&nbsp;</P> <P>Background info:</P> <P>&nbsp;</P> <P>When configuring Global Protect we used RADIUS to integrate RSA Secure ID as a second factor to LDAP, to ensure it took more than just a password to log in, but now it turns out RADIUS was designed to use MD5 hash sums in a way that is inherently insecure as detailed here:&nbsp;&nbsp;<A href="https://www.blastradius.fail/pdf/radius.pdf" target="_blank">https://www.blastradius.fail/pdf/radius.pdf</A>&nbsp;</P> <P>&nbsp;</P> <P>RSA Secure ID released a patch which adds a new value to set in the RADIUS server config files (FreeRadius-Client-require-MA = yes), but the support documentation says the RADIUS client needs to support Messaging Authentication.&nbsp;<A href="https://community.securid.com/s/article/RSA-Announces-Critical-Security-Updates-for-RSA-ID-Plus-Components-RSA-Authentication-Manager-and-RSA-Identity-Router" target="_blank">https://community.securid.com/s/article/RSA-Announces-Critical-Security-Updates-for-RSA-ID-Plus-Components-RSA-Authentication-Manager-and-RSA-Identity-Router</A>&nbsp;</P> <P>&nbsp;</P> <P><LI-PRODUCT title="GlobalProtect" id="GlobalProtect"></LI-PRODUCT>&nbsp;<LI-PRODUCT title="Panorama" id="Panorama"></LI-PRODUCT>&nbsp;</P> Tue, 09 Jul 2024 22:24:30 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/does-global-protect-radius-support-message-authentication-to/m-p/591511#M5545 mmason 2024-07-09T22:24:30Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/does-global-protect-radius-support-message-authentication-to/m-p/591521#M5546 <P>Even I'm not sure this is what we are looking at, I found new command on 11.1.3 and above.</P> <P>I'm not testing anything about it yet and also I'm not researching it on other branches.</P> <P>&nbsp;</P> <P>"set auth radius-require-msg-authentic yes/no" might be answer for us.</P> <P>&nbsp;</P> <LI-CODE lang="markup">admin@PA-VM&gt; show system info | match sw-version sw-version: 11.1.1 admin@PA-VM&gt; set auth ? * strict-username-check Use strict username check for user role access admin@PA-VM&gt; admin@PA-VM&gt; show system info | match sw-version sw-version: 11.1.2 admin@PA-VM&gt; set auth ? * strict-username-check Use strict username check for user role access admin@PA-VM&gt; admin@PA-VM&gt; show system info | match sw-version sw-version: 11.1.3 admin@PA-VM&gt; set auth ? &gt; radius-require-msg-authentic Flag to check Message-Authenticator in RADIUS response &gt; remote-host-check check remote host (client IP address) during auth redirects &gt; strict-username-check Use strict username check for user role access admin@PA-VM&gt; </LI-CODE> <P><BR />&nbsp;</P> Wed, 10 Jul 2024 01:59:51 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/does-global-protect-radius-support-message-authentication-to/m-p/591521#M5546 emr_1 2024-07-10T01:59:51Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/does-global-protect-radius-support-message-authentication-to/m-p/591605#M5549 <P>That looks promising! Will try it out.</P> <P>&nbsp;</P> Wed, 10 Jul 2024 16:14:38 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/does-global-protect-radius-support-message-authentication-to/m-p/591605#M5549 mmason 2024-07-10T16:14:38Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/does-global-protect-radius-support-message-authentication-to/m-p/591616#M5550 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/250657">@mmason</a></P> <P>&nbsp;</P> <P>based on advisory for&nbsp;<A href="http://CVE-2024-3596" target="_self">CVE-2024-3596</A>&nbsp;the authentication check in RADIUS has been introduced in these versions and newer:&nbsp;PAN-OS 9.1.19, PAN-OS 10.1.14, PAN-OS 10.2.10, PAN-OS 11.0.7, PAN-OS 11.1.3.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel</P> Wed, 10 Jul 2024 22:40:51 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/does-global-protect-radius-support-message-authentication-to/m-p/591616#M5550 PavelK 2024-07-10T22:40:51Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/does-global-protect-radius-support-message-authentication-to/m-p/591617#M5551 <P>Thanks for confirming, waiting for our maintenance window to apply 11.1.3 so we can enable this setting, much appreciated!</P> Wed, 10 Jul 2024 22:43:31 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/does-global-protect-radius-support-message-authentication-to/m-p/591617#M5551 mmason 2024-07-10T22:43:31Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/does-global-protect-radius-support-message-authentication-to/m-p/594964#M5673 <P>I ran this command on a PA-5430 with 11.1.3-h4 installed.&nbsp;&nbsp;<SPAN>I set it to yes to require message authentication and ran the show command to see if it was accepted but I got no output. As a result, the connection to my RADIUS server is still broken until I find a workaround.&nbsp;</SPAN></P> Wed, 14 Aug 2024 23:55:39 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/does-global-protect-radius-support-message-authentication-to/m-p/594964#M5673 NetworkEnginear 2024-08-14T23:55:39Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/does-global-protect-radius-support-message-authentication-to/m-p/597402#M5800 <P>re: no output:&nbsp; Same experience on 10.2.10-h1 and 11.2.0<BR /><BR />On the API, when set to yes or no, response is the same.&nbsp; Missing CDATA.&nbsp; I'll be opening a ticket with PA to check on this today.<BR /><BR />&lt;show&gt;&lt;auth&gt;&lt;radius-require-msg-authentic&gt;&lt;/radius-require-msg-authentic&gt;&lt;/auth&gt;&lt;/show&gt;<BR /><BR /></P> <DIV class="line"><SPAN class="html-tag">&lt;response<SPAN class="html-attribute"><SPAN>&nbsp;</SPAN><SPAN class="html-attribute-name">status</SPAN>="<SPAN class="html-attribute-value">success</SPAN>"</SPAN>&gt;</SPAN></DIV> <DIV class="opened"> <DIV id="folder1" class="folder"> <DIV class="line"><SPAN class="html-tag">&lt;result&gt;</SPAN></DIV> <DIV class="opened"> <DIV class="line"><SPAN>&lt;![CDATA[ ]]&gt;</SPAN></DIV> </DIV> <DIV class="line"><SPAN class="html-tag">&lt;/result&gt;</SPAN></DIV> </DIV> </DIV> <DIV class="line"><SPAN class="html-tag">&lt;/response&gt;<BR />-------------------------------------------<BR />Edit/Add:&nbsp; PA noted it the lack of display is a bug.&nbsp; Can be gathered through one of the three methods currently</SPAN></DIV> <DIV class="line"><SPAN class="html-tag"><BR /><SPAN>Verified the sdb variable is set to True from TSF at location &lt;tsffile&gt;\tmp\cli\logs\sdb.txt</SPAN><BR /><SPAN>cfg.auth.radius-require-msg-authentic: True</SPAN><BR /><BR /><SPAN>you can verify the same from CLI using the command</SPAN><BR /><SPAN>&gt; show system state | match cfg.auth.radius-require-msg-authentic</SPAN><BR /><BR /><SPAN>API command below:</SPAN><BR /><A href="https://urldefense.com/v3/__https://*3Cfirewall*3E/api/?type=op&amp;cmd=*3Cshow*3E*3Csystem*3E*3Cstate*3E*3Cfilter*3Ecfg.auth.radius-require-msg-authentic*3C*filter*3E*3C*state*3E*3C*system*3E*3C*show*3E&amp;target=SERIAL&amp;key=KEY__;JSUlJSUlJSUlJSUvJSUvJSUvJSUvJQ!!Nyu6ZXf5!s4xknOqsqqNKP5hr560Hn5FbJ8RO270PejwSGd27zP2mXCE9PQgw-f9lSJlMBswWI6a-hQ3M8PZxFd89VDZwX4uOOaw88Q-clQ$" target="_blank" rel="noopener noreferrer nofollow" data-auth="NotApplicable" data-linkindex="1">https://&lt;firewall&gt;/api/?type=op&amp;cmd=&lt;show&gt;&lt;system&gt;&lt;state&gt;&lt;filter&gt;cfg.auth.radius-require-msg-authent...</A><BR /></SPAN></DIV> Tue, 10 Sep 2024 13:40:02 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/does-global-protect-radius-support-message-authentication-to/m-p/597402#M5800 Chris_Johnston 2024-09-10T13:40:02Z