Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
4477
Views
3
Helpful
14
Replies

ISE Message-Authenticator Attribute order

tsme
Level 1
Level 1

‎10-08-2024 06:14 AM

Hi @ll,

today I came across an issue with Admin-authentication on a Juniper FW (JUNOS 22.4R3-S4.5) using RADIUS..
I can see Authentication request coming in and also being answered successfully with Access-Accept.
Unfortunately the FW refuses to let me in:

sshd: PAM_RADIUS_SEND_REQ_FAIL: Sending radius request failed with error (No valid RADIUS responses received).


After searching and debugging I came across this support articles from Juniper for specified JUNOS Version:
Article ID KB86815 (account required)
Article ID KB87923 (account required)
saying: 

The Message-Authenticator is not encoded as the first attribute in the response packet, immediately after the attribute header.
For now, the workaround would be on server-side.

 

Anybody aware of changing/manipulating AVP orders in response packets on ISE, and putting "Message-Authenticator" on first place?

 

0 Helpful
14 Replies 14

MHM Cisco World
VIP
VIP

‎10-08-2024 07:07 AM

You use radius or tacacs for admin?

MHM

0 Helpful

tsme
Level 1
Level 1
In response to MHM Cisco World

‎10-09-2024 12:46 AM

Hi @MHM Cisco World 

I stated in my post that I receive the error using RADIUS

Oct 7 16:43:01 fw-name-obfuscated sshd[26120]: Message-Authenticator is not encoded as the first attribute in the response packet, immediately after the attribute header.
0 Helpful

MHM Cisco World
VIP
VIP
In response to tsme

‎10-09-2024 01:03 AM

check above

MHM

0 Helpful

tsme
Level 1
Level 1
In response to MHM Cisco World

‎10-09-2024 01:43 AM - edited ‎10-09-2024 01:43 AM

Hi,

the impact of activating this "feature" would exclude NADs which do not support/send the Message-Authenticator (MA).
I've allready checked by TCP Dumps that:

  • if a NAD is sending MA, ISE responses also with a MA
  • NAD auth requests without MA, are answered without MA by ISE

So basically enabling this would have an impact on devices not sending the MA in RADIUS AVP, but not changing the order.

Your suggestion would not solve the order issue:
2024-10-08_radius_Message-Authenticator_Junos_22.4R3-S4.5.pcap.png

 

MHM Cisco World
VIP
VIP
In response to tsme

‎10-09-2024 03:26 AM

Can you contact Juniper it can bug 
the ISE sure send message-authc in access-accept 

update me if you get reply from Juniper 

thanks 

MHM

0 Helpful

tsme
Level 1
Level 1
In response to MHM Cisco World

‎10-09-2024 07:06 AM - edited ‎10-09-2024 07:08 AM

did so,
reply from Juniper:

The recommendation for RADIUS servers is to include the Message-Authenticator attribute in all replies to Access-Request packets. The Message-Authenticator should be encoded as the first attribute in the packet, immediately after the attribute header. Note that adding a Message-Authenticator to the end of reply packets will not mitigate the attack. When the Message-Authenticator is the last attribute in a packet, the attacker can treat the Message-Authenticator as an unknown suffix, as with the shared secret. The attacker then calculates the prefix as before, and has the RADIUS server authenticate the packet which contains the prefix.

regards

0 Helpful

MHM Cisco World
VIP
VIP
In response to tsme

‎10-09-2024 09:26 AM

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/222287-blast-radius-cve-2024-3596-protocol-sp.html

But this doc. Show that attribute is first in order.

So either there is hacker man in middle change modify some data or ISE patch need to upgrade.

Can you open TAC sure they will suggest correct ISE ver. 

Thanks alot 

MHM

0 Helpful

tsme
Level 1
Level 1
In response to MHM Cisco World

‎10-10-2024 04:33 AM

sorry for asking that, but where exactly did you read that (MA is first in order, sent by ISE) in the Mitigation Document mentioned?
Have read it several times and must have missed it.

I'm indeed already in conversation witth TAC.

jkhgfdsa
Level 1
Level 1
In response to tsme

‎10-18-2024 01:58 AM

Did you work it out with TAC? I have the same problem

0 Helpful

tsme
Level 1
Level 1
In response to jkhgfdsa

‎10-28-2024 03:07 AM

I'm still in contact with TAC, Cisco is evaluating if this could be developed as a feature but currently it is not possible to alter the position of MA in the answer packets.

jkhgfdsa
Level 1
Level 1
In response to tsme

‎10-28-2024 03:59 AM

I also have a case with them right now. With Windows NPS server it looks like this and works: NPS.png

0 Helpful

ndahemmy
Level 1
Level 1
In response to MHM Cisco World

‎01-16-2025 09:23 AM

After enabling Message authenticator for all radius request, is there any action required for radius Client let's say client like WLC ?

0 Helpful

Michal Janowski
Cisco Employee
Cisco Employee

‎01-20-2025 11:55 PM

Just to close the query. In RFC there is not strict recommendation to put Message-Authenticator as the first attribute in the response packet. The issue has been addressed in Junos 22.4R3-S5.11 which no longer checks if the MA is the first attribute in the response packet.

 

 

 

 

0 Helpful

jkhgfdsa
Level 1
Level 1
In response to Michal Janowski

‎01-21-2025 12:20 AM

Hi,

I am running 23.4R2-S2.1 and its not fixed on that version.

0 Helpful
Customers Also Viewed These Support Documents
Top