add and document global limit_proxy_state

diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
index cd2d80c8e6babf0f3af3921014f5e3e0b085ee30..8fa2a3d98ff54f6c2b879091e766b4272da424a3 100644 (file)
--- a/raddb/radiusd.conf.in
+++ b/raddb/radiusd.conf.in
@@ -612,8 +612,42 @@ security {
        #  home server by adding a flag to that section which says
        #  "require_message_authenticator = false".
        #
+       #  If the server produces error message which says "Packet
+       #  does not contain required Message-Authenticator attribute",
+       #  then this configuration item has to be updated.
+       #
+       #  WARNING: This item should always be left as "yes",
+       #  otherwise it is possible for MITM attackers to create fake
+       #  Access-Accept packets to the NAS!
+       #
        require_message_authenticator = yes
 
+       #
+       #  Global configuration for requiring Message-Authenticator
+       #  Access-Request packets from a NAS, but only if those
+       #  packets also contain Proxy-State.
+       #
+       #  If "require_message_authenticator" is set to "yes", this
+       #  configuration item is ignored.
+       #
+       #  If "require_message_authenticator" is set to "no", this
+       #  configuration item is checked.
+       #
+       #  This configuration item should ALWAYS be set to "yes".
+       #
+       #  The only reason to set it to "no" is when the client is a
+       #  proxy, AND the proxy does not send Message-Authenticator in
+       #  Access-Request packets.  Even then, the best approach to
+       #  fix the issue is to (1) update the client to send
+       #  Message-Authenticator, and if that can't be done, then (2)
+       #  set this flag to "no", but ONLY on a per-client basis.
+       #
+       #  WARNING: This item should always be left as "yes",
+       #  otherwise it is possible for MITM attackers to create fake
+       #  Access-Accept packets to the NAS!
+       #
+       limit_proxy_state = yes
+
 @openssl_version_check_config@
 }
 

diff --git a/src/include/radiusd.h b/src/include/radiusd.h
index 76931fabd4952a6b1d2aa3ffe6ee241db1d90cea..44a18ce793b2ad2f8ac6ec12fc77b02cd0a132cc 100644 (file)
--- a/src/include/radiusd.h
+++ b/src/include/radiusd.h
@@ -178,6 +178,8 @@ typedef struct main_config {
 
        bool            require_ma;                     //!< global configuration for all clients and home servers
 
+       bool            limit_proxy_state;              //!< global configuration for all clients
+
 #ifdef ENABLE_OPENSSL_VERSION_CHECK
        char const      *allow_vulnerable_openssl;      //!< The CVE number of the last security issue acknowledged.
 #endif

diff --git a/src/main/mainconfig.c b/src/main/mainconfig.c
index cbc0d6b646dba28f874667b8c6c2036c1e170663..6d424fd53a3676a45baca8fadafa291e003c2fe9 100644 (file)
--- a/src/main/mainconfig.c
+++ b/src/main/mainconfig.c
@@ -163,6 +163,7 @@ static const CONF_PARSER security_config[] = {
        { "reject_delay",  FR_CONF_POINTER(PW_TYPE_TIMEVAL, &main_config.reject_delay), STRINGIFY(0) },
        { "status_server", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.status_server), "no"},
        { "require_message_authenticator", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.require_ma), "yes"},
+       { "limit_proxy_state", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.limit_proxy_state), "yes"},
 #ifdef ENABLE_OPENSSL_VERSION_CHECK
        { "allow_vulnerable_openssl", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.allow_vulnerable_openssl), "no"},
 #endif