From: Terry Burton <tez@terryburton.co.uk>
Date: Mon, 8 Jul 2024 14:55:44 +0000 (+0100)
Subject: Config docs: Clients aggregators may be RADIUS proxies and set proxy-state
X-Git-Tag: release_3_2_5~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2f29aa10482291eb037fa34d07859d2f45e5c44a;p=thirdparty%2Ffreeradius-server.git

Config docs: Clients aggregators may be RADIUS proxies and set proxy-state
---

diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
index 860a6e9ad7..44fee628e7 100644
--- a/raddb/radiusd.conf.in
+++ b/raddb/radiusd.conf.in
@@ -744,9 +744,16 @@ security {
 	#    packets which contain Proxy-State MUST also contain
 	#    Message-Authenticator, otherwise they are discarded.
 	#
-	#    This setting is safe for all NASes, GGSNs, BRAS, etc.
-	#    No known RADIUS client sends Proxy-State for normal
-	#    Access-Request packets.
+	#    This setting is safe for most NASes, GGSNs, BRAS, etc.
+	#    Most regular RADIUS clients do not send Proxy-State
+	#    attributes for Access-Request packets that they originate.
+	#    However some aggregators (e.g. Wireless LAN Controllers)
+	#    may act as a RADIUS proxy for requests from their cohort
+	#    of managed devices, and in such cases will provide a
+	#    Proxy-State attribute. For those systems, you _must_ look
+	#    at the actual packets to determine what to do. It may be
+	#    that the only way to fix the vulnerability is to upgrade
+	#    the WLC, and set "require_message_authenticator" to "yes".
 	#
 	#  * "auto" - Automatically determine the value of the flag,
 	#    based on the first packet received from that client.