Radius vulnerability patch not working for all clients
search cancel

Radius vulnerability patch not working for all clients

book

Article ID: 401143

calendar_today

Updated On:

Products

CA Strong Authentication CA Advanced Authentication CA Advanced Authentication - Strong Authentication (AuthMinder / WebFort)

Issue/Introduction

After applying the Symantec-AdvancedAuth-9.1.5-Radius_Vulnerability patch, when the Message Authenticator (MA) is enabled, the server accepts request/response messages only from clients that support this feature (i.e., the latest clients).

Older clients that do not support the Message Authenticator are not compatible with this configuration.

How to support a mixed client environment with Radius patch?

Environment

Symantec Strong Authentication 9.1.5

Resolution

Our recommendation is to apply the patch Symantec-StrongAuthentication-9.1.5-DE643630-DE637554-hotfix to resolve this issue. The patch can be downloaded from the KB article as well.

After applying the patch, the behavior of request/response exchanges between old/new RADIUS clients and the Strong Authentication Server depends on the value of the Message_Authenticator_Required attribute configured in the <ARCOT_HOME>/conf/arcotcommon.ini file.

  • Message_Authenticator_Required=false

 

  • Message_Authenticator_Required=true

Note: If the Message_Authenticator_Required attribute is set to true, then it is mandatory for the RADIUS client to include the Message-Authenticator attribute in the request. Requests without this attribute will be rejected by the Strong Authentication server.

 

 

Powered by Wolken Software