Hello
Our RSA infra was upgraded to address Blast-Radius vulnerability https://www.blastradius.fail/ Since then, radius-proxy enabled users can no longer authenticate against those providers.
I understand the RSA radius servers now require Message-Authenticator attributes to be set which I suppose is the missing piece when freeipa attempts to authenticate.
Anybody have a view on this?
Thanks Angus
From the RSA instructions (lol):
RSA recommends asking your vendors for a fix for the BlastRADIUS vulnerability and applying the client-side fixes immediately. This must be done before applying the RSA patches and enabling the Message-Authenticator configuration.
On Чцв, 14 ліс 2024, Angus Clarke via FreeIPA-users wrote:
Hello
Our RSA infra was upgraded to address Blast-Radius vulnerability https://www.blastradius.fail/ Since then, radius-proxy enabled users can no longer authenticate against those providers.
I understand the RSA radius servers now require Message-Authenticator attributes to be set which I suppose is the missing piece when freeipa attempts to authenticate.
Anybody have a view on this?
It should be addressed already by newer krb5 builds in RHEL and Fedora. You need to upgrade them and restart IPA services.
https://access.redhat.com/security/cve/CVE-2024-3596
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Angus Clarke