ISE Message-Authenticator Attribute order

tsme · ‎10-08-2024

Hi @ll,

today I came across an issue with Admin-authentication on a Juniper FW (JUNOS 22.4R3-S4.5) using RADIUS..
I can see Authentication request coming in and also being answered successfully with Access-Accept.
Unfortunately the FW refuses to let me in:

sshd: PAM_RADIUS_SEND_REQ_FAIL: Sending radius request failed with error (No valid RADIUS responses received).

After searching and debugging I came across this support articles from Juniper for specified JUNOS Version:
Article ID KB86815 (account required)
Article ID KB87923 (account required)
saying:

The Message-Authenticator is not encoded as the first attribute in the response packet, immediately after the attribute header.
For now, the workaround would be on server-side.

Anybody aware of changing/manipulating AVP orders in response packets on ISE, and putting "Message-Authenticator" on first place?

MHM Cisco World · ‎10-08-2024

You use radius or tacacs for admin?

MHM

tsme · ‎10-09-2024

Hi @MHM Cisco World

I stated in my post that I receive the error using RADIUS

Oct 7 16:43:01 fw-name-obfuscated sshd[26120]: Message-Authenticator is not encoded as the first attribute in the response packet, immediately after the attribute header.

MHM Cisco World · ‎10-09-2024

Cisco ISE: under the Allowed Protocol configurations, enable 'Require Message-Authenticator for all RADIUS Requests' (ref from the Cisco ISE: Blast-RADIUS (CVE-2024-3596) Protocol Spoofing Mitigation - Cisco).

check above

MHM

tsme · ‎10-09-2024

Hi,

the impact of activating this "feature" would exclude NADs which do not support/send the Message-Authenticator (MA).
I've allready checked by TCP Dumps that:

if a NAD is sending MA, ISE responses also with a MA
NAD auth requests without MA, are answered without MA by ISE

So basically enabling this would have an impact on devices not sending the MA in RADIUS AVP, but not changing the order.

Your suggestion would not solve the order issue:

MHM Cisco World · ‎10-09-2024

Can you contact Juniper it can bug
the ISE sure send message-authc in access-accept

update me if you get reply from Juniper

thanks

MHM

tsme · ‎10-09-2024

did so,
reply from Juniper:

The recommendation for RADIUS servers is to include the Message-Authenticator attribute in all replies to Access-Request packets. The Message-Authenticator should be encoded as the first attribute in the packet, immediately after the attribute header. Note that adding a Message-Authenticator to the end of reply packets will not mitigate the attack. When the Message-Authenticator is the last attribute in a packet, the attacker can treat the Message-Authenticator as an unknown suffix, as with the shared secret. The attacker then calculates the prefix as before, and has the RADIUS server authenticate the packet which contains the prefix.

regards

MHM Cisco World · ‎10-09-2024

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/222287-blast-radius-cve-2024-3596-protocol-sp.html

But this doc. Show that attribute is first in order.

So either there is hacker man in middle change modify some data or ISE patch need to upgrade.

Can you open TAC sure they will suggest correct ISE ver.

Thanks alot

MHM

tsme · ‎10-10-2024

sorry for asking that, but where exactly did you read that (MA is first in order, sent by ISE) in the Mitigation Document mentioned?
Have read it several times and must have missed it.

I'm indeed already in conversation witth TAC.