A vulnerability in the RADIUS protocol allows an attacker to forge an authentication response to modify an authentication reply from a RADIUS server when not requiring the Message-Authenticator attribute. This vulnerability is due to lack of integrity checks when validating authentication response from a RADIUS server.

A vulnerability was disclosed by a team of researchers from UC San Diego and their partners in the verification of RADIUS Response from a RADIUS server. An attacker, with access to the network where the RADIUS protocol is being transmitted, can spoof a UDP-based RADIUS Response packet to modify the Response from "Access-Reject" to "Access-Accept" (or vice versa). This allows the attacker to transform a Reject into an Accept without knowledge of the shared secret between the RADIUS client and server. The attack is possible due to a basic flaw in the RADIUS protocol specification that uses a MD5 hash to verify the response, along with the fact that part of the hashed text is predictable allowing for a chosen-prefix collision. 

Security Analytics 8.x
Security Analytics 9.x

Security analytics can use RADIUS as a client for an authentication option. 

While the Security Analytics RADIUS client sends Message-Authenticator requests for RADIUS authentication, we recommend upgrading your RADIUS server so that it only performs Extensible Authentication Protocol (EAP), as specified in RFC 3579, which is unaffected by this attack. The EAP authentication messages require the Message-Authenticator attribute, which will prevent these attacks from succeeding.