10-08-2024 06:14 AM
Hi @ll,
today I came across an issue with Admin-authentication on a Juniper FW (JUNOS 22.4R3-S4.5) using RADIUS..
I can see Authentication request coming in and also being answered successfully with Access-Accept.
Unfortunately the FW refuses to let me in:
sshd: PAM_RADIUS_SEND_REQ_FAIL: Sending radius request failed with error (No valid RADIUS responses received).
After searching and debugging I came across this support articles from Juniper for specified JUNOS Version:
Article ID KB86815 (account required)
Article ID KB87923 (account required)
saying:
The Message-Authenticator is not encoded as the first attribute in the response packet, immediately after the attribute header.
For now, the workaround would be on server-side.
Anybody aware of changing/manipulating AVP orders in response packets on ISE, and putting "Message-Authenticator" on first place?
10-08-2024 07:07 AM
You use radius or tacacs for admin?
MHM
10-09-2024 12:46 AM
Hi @MHM Cisco World
I stated in my post that I receive the error using RADIUS
Oct 7 16:43:01 fw-name-obfuscated sshd[26120]: Message-Authenticator is not encoded as the first attribute in the response packet, immediately after the attribute header.
10-09-2024 01:03 AM
check above
MHM
10-09-2024 01:43 AM - edited 10-09-2024 01:43 AM
Hi,
the impact of activating this "feature" would exclude NADs which do not support/send the Message-Authenticator (MA).
I've allready checked by TCP Dumps that:
So basically enabling this would have an impact on devices not sending the MA in RADIUS AVP, but not changing the order.
Your suggestion would not solve the order issue:
10-09-2024 03:26 AM
Can you contact Juniper it can bug
the ISE sure send message-authc in access-accept
update me if you get reply from Juniper
thanks
MHM
10-09-2024 07:06 AM - edited 10-09-2024 07:08 AM
did so,
reply from Juniper:
The recommendation for RADIUS servers is to include the Message-Authenticator attribute in all replies to Access-Request packets. The Message-Authenticator should be encoded as the first attribute in the packet, immediately after the attribute header. Note that adding a Message-Authenticator to the end of reply packets will not mitigate the attack. When the Message-Authenticator is the last attribute in a packet, the attacker can treat the Message-Authenticator as an unknown suffix, as with the shared secret. The attacker then calculates the prefix as before, and has the RADIUS server authenticate the packet which contains the prefix.
regards
10-09-2024 09:26 AM
But this doc. Show that attribute is first in order.
So either there is hacker man in middle change modify some data or ISE patch need to upgrade.
Can you open TAC sure they will suggest correct ISE ver.
Thanks alot
MHM
10-10-2024 04:33 AM
sorry for asking that, but where exactly did you read that (MA is first in order, sent by ISE) in the Mitigation Document mentioned?
Have read it several times and must have missed it.
I'm indeed already in conversation witth TAC.
10-18-2024 01:58 AM
Did you work it out with TAC? I have the same problem
10-28-2024 03:07 AM
I'm still in contact with TAC, Cisco is evaluating if this could be developed as a feature but currently it is not possible to alter the position of MA in the answer packets.
10-28-2024 03:59 AM
I also have a case with them right now. With Windows NPS server it looks like this and works:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide