- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-09-2024 03:24 PM
Does the Global Protect RADIUS implementation support Messaging Authentication?
If not, how quickly will a hotfix to patch this vulnerable implementation of RADIUS be released?
Background info:
When configuring Global Protect we used RADIUS to integrate RSA Secure ID as a second factor to LDAP, to ensure it took more than just a password to log in, but now it turns out RADIUS was designed to use MD5 hash sums in a way that is inherently insecure as detailed here: https://www.blastradius.fail/pdf/radius.pdf
RSA Secure ID released a patch which adds a new value to set in the RADIUS server config files (FreeRadius-Client-require-MA = yes), but the support documentation says the RADIUS client needs to support Messaging Authentication. https://community.securid.com/s/article/RSA-Announces-Critical-Security-Updates-for-RSA-ID-Plus-Comp...
07-09-2024 06:59 PM
Even I'm not sure this is what we are looking at, I found new command on 11.1.3 and above.
I'm not testing anything about it yet and also I'm not researching it on other branches.
"set auth radius-require-msg-authentic yes/no" might be answer for us.
admin@PA-VM> show system info | match sw-version
sw-version: 11.1.1
admin@PA-VM> set auth ?
* strict-username-check Use strict username check for user role access
admin@PA-VM>
admin@PA-VM> show system info | match sw-version
sw-version: 11.1.2
admin@PA-VM> set auth ?
* strict-username-check Use strict username check for user role access
admin@PA-VM>
admin@PA-VM> show system info | match sw-version
sw-version: 11.1.3
admin@PA-VM> set auth ?
> radius-require-msg-authentic Flag to check Message-Authenticator in RADIUS response
> remote-host-check check remote host (client IP address) during auth redirects
> strict-username-check Use strict username check for user role access
admin@PA-VM>
07-10-2024 03:40 PM
Hello @mmason
based on advisory for CVE-2024-3596 the authentication check in RADIUS has been introduced in these versions and newer: PAN-OS 9.1.19, PAN-OS 10.1.14, PAN-OS 10.2.10, PAN-OS 11.0.7, PAN-OS 11.1.3.
Kind Regards
Pavel
07-09-2024 06:59 PM
Even I'm not sure this is what we are looking at, I found new command on 11.1.3 and above.
I'm not testing anything about it yet and also I'm not researching it on other branches.
"set auth radius-require-msg-authentic yes/no" might be answer for us.
admin@PA-VM> show system info | match sw-version
sw-version: 11.1.1
admin@PA-VM> set auth ?
* strict-username-check Use strict username check for user role access
admin@PA-VM>
admin@PA-VM> show system info | match sw-version
sw-version: 11.1.2
admin@PA-VM> set auth ?
* strict-username-check Use strict username check for user role access
admin@PA-VM>
admin@PA-VM> show system info | match sw-version
sw-version: 11.1.3
admin@PA-VM> set auth ?
> radius-require-msg-authentic Flag to check Message-Authenticator in RADIUS response
> remote-host-check check remote host (client IP address) during auth redirects
> strict-username-check Use strict username check for user role access
admin@PA-VM>
07-10-2024 09:14 AM
That looks promising! Will try it out.
07-10-2024 03:40 PM
Hello @mmason
based on advisory for CVE-2024-3596 the authentication check in RADIUS has been introduced in these versions and newer: PAN-OS 9.1.19, PAN-OS 10.1.14, PAN-OS 10.2.10, PAN-OS 11.0.7, PAN-OS 11.1.3.
Kind Regards
Pavel
07-10-2024 03:43 PM
Thanks for confirming, waiting for our maintenance window to apply 11.1.3 so we can enable this setting, much appreciated!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!