add and document global limit_proxy_state

diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
index 92d25c2400116a216ccd212cc86ffc9ad27bf49b..74ba00a2623a36c64ac7dbb3ac94b789d21dd95b 100644 (file)
--- a/raddb/radiusd.conf.in
+++ b/raddb/radiusd.conf.in
@@ -634,8 +634,42 @@ security {
        #  home server by adding a flag to that section which says
        #  "require_message_authenticator = false".
        #
+       #  If the server produces error message which says "Packet
+       #  does not contain required Message-Authenticator attribute",
+       #  then this configuration item has to be updated.
+       #
+       #  WARNING: This item should always be left as "yes",
+       #  otherwise it is possible for MITM attackers to create fake
+       #  Access-Accept packets to the NAS!
+       #
        require_message_authenticator = yes
 
+       #
+       #  Global configuration for requiring Message-Authenticator
+       #  Access-Request packets from a NAS, but only if those
+       #  packets also contain Proxy-State.
+       #
+       #  If "require_message_authenticator" is set to "yes", this
+       #  configuration item is ignored.
+       #
+       #  If "require_message_authenticator" is set to "no", this
+       #  configuration item is checked.
+       #
+       #  This configuration item should ALWAYS be set to "yes".
+       #
+       #  The only reason to set it to "no" is when the client is a
+       #  proxy, AND the proxy does not send Message-Authenticator in
+       #  Access-Request packets.  Even then, the best approach to
+       #  fix the issue is to (1) update the client to send
+       #  Message-Authenticator, and if that can't be done, then (2)
+       #  set this flag to "no", but ONLY on a per-client basis.
+       #
+       #  WARNING: This item should always be left as "yes",
+       #  otherwise it is possible for MITM attackers to create fake
+       #  Access-Accept packets to the NAS!
+       #
+       limit_proxy_state = yes
+
 @openssl_version_check_config@
 }
 

diff --git a/src/include/radiusd.h b/src/include/radiusd.h
index bc2080211bce1cce6660ea9516b56f4bce654769..e1d90f5b990b45833a45be525ab3dbdaff3e0992 100644 (file)
--- a/src/include/radiusd.h
+++ b/src/include/radiusd.h
@@ -176,6 +176,8 @@ typedef struct main_config {
 
        bool            require_ma;                     //!< global configuration for all clients and home servers
 
+       bool            limit_proxy_state;              //!< global configuration for all clients
+
 #ifdef ENABLE_OPENSSL_VERSION_CHECK
        char const      *allow_vulnerable_openssl;      //!< The CVE number of the last security issue acknowledged.
 #endif

diff --git a/src/main/mainconfig.c b/src/main/mainconfig.c
index 7b53ae23b2d7b5d673dfdef2f7a73dbf02ccc432..5d318fafaca4fcccd8af082bd867be93ce59deb4 100644 (file)
--- a/src/main/mainconfig.c
+++ b/src/main/mainconfig.c
@@ -161,6 +161,7 @@ static const CONF_PARSER security_config[] = {
        { "reject_delay",  FR_CONF_POINTER(PW_TYPE_TIMEVAL, &main_config.reject_delay), STRINGIFY(0) },
        { "status_server", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.status_server), "no"},
        { "require_message_authenticator", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.require_ma), "yes"},
+       { "limit_proxy_state", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.limit_proxy_state), "yes"},
 #ifdef ENABLE_OPENSSL_VERSION_CHECK
        { "allow_vulnerable_openssl", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.allow_vulnerable_openssl), "no"},
 #endif