| Age | Commit message (Collapse) | Author |
|
Signed-off-by: Denys Fedoryshchenko <denys.f@collabora.com>
|
|
Signed-off-by: Andrii Melnychenko <a.melnychenko@vyos.io>
|
|
Recently FreeRadius started to complain accel-ppp doesn't pass
BlastRADIUS check. This commit fixes that.
This commit implements protection against RADIUS blast attacks
by adding support for the Message-Authenticator attribute in
Access-Request packets. This security enhancement helps
prevent unauthorized access attempts and replay attacks
on RADIUS authentication.
- Added new configuration option `blast-protection=1`
in [radius] to enable Message-Authenticator inclusion
- Implemented HMAC-MD5 calculation for
Message-Authenticator attribute (RFC 2869)
- Modified packet building to include 18-byte Message-Authenticator
attribute when enabled
- Updated packet structure to support signing with shared secret
Enable blast protection by adding to the `[radius]` section:
```
blast-protection=1
```
When enabled, all Access-Request packets will include a
Message-Authenticator attribute with HMAC-MD5 signature,
providing cryptographic integrity verification and protection
against packet modification attacks.
Signed-off-by: Denys Fedoryshchenko <denys.f@collabora.com>
|
|
|
|
New configuration format:
[radius]
server=address,secret[,auth-port=1812][,acct-port=1813][,vrf=VRF_NAME][,req-limit=0][,fail-timeout=0,max-fail=0,][,weight=1][,backup]
dae-server=x.x.x.x:port,secret[,vrf=VRF_NAME]
By default, VRF name is undefined.
|
|
Co-authored-by: Sergey V. Lobanov <svlobanov@users.noreply.github.com>
Co-authored-by: Vladislav Grishenko <themiron@users.noreply.github.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
* commit '178b27b0b6d60afdc5039dc3d995f4ad000b5486':
radius: update Class attribute by CoA request
|
|
|
|
|
|
|
|
(default OPENSSL)
|
|
|
|
|
|
|
|
|