From: Alan T. DeKok Date: Thu, 22 Feb 2024 10:36:33 +0000 (-0500) Subject: add and document global limit_proxy_state X-Git-Tag: release_3_2_5~15 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=41653a3f7b0c34c09db75909e25e99142ef89580;p=thirdparty%2Ffreeradius-server.git add and document global limit_proxy_state --- diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in index cd2d80c8e6b..8fa2a3d98ff 100644 --- a/raddb/radiusd.conf.in +++ b/raddb/radiusd.conf.in @@ -612,8 +612,42 @@ security { # home server by adding a flag to that section which says # "require_message_authenticator = false". # + # If the server produces error message which says "Packet + # does not contain required Message-Authenticator attribute", + # then this configuration item has to be updated. + # + # WARNING: This item should always be left as "yes", + # otherwise it is possible for MITM attackers to create fake + # Access-Accept packets to the NAS! + # require_message_authenticator = yes + # + # Global configuration for requiring Message-Authenticator + # Access-Request packets from a NAS, but only if those + # packets also contain Proxy-State. + # + # If "require_message_authenticator" is set to "yes", this + # configuration item is ignored. + # + # If "require_message_authenticator" is set to "no", this + # configuration item is checked. + # + # This configuration item should ALWAYS be set to "yes". + # + # The only reason to set it to "no" is when the client is a + # proxy, AND the proxy does not send Message-Authenticator in + # Access-Request packets. Even then, the best approach to + # fix the issue is to (1) update the client to send + # Message-Authenticator, and if that can't be done, then (2) + # set this flag to "no", but ONLY on a per-client basis. + # + # WARNING: This item should always be left as "yes", + # otherwise it is possible for MITM attackers to create fake + # Access-Accept packets to the NAS! + # + limit_proxy_state = yes + @openssl_version_check_config@ } diff --git a/src/include/radiusd.h b/src/include/radiusd.h index 76931fabd49..44a18ce793b 100644 --- a/src/include/radiusd.h +++ b/src/include/radiusd.h @@ -178,6 +178,8 @@ typedef struct main_config { bool require_ma; //!< global configuration for all clients and home servers + bool limit_proxy_state; //!< global configuration for all clients + #ifdef ENABLE_OPENSSL_VERSION_CHECK char const *allow_vulnerable_openssl; //!< The CVE number of the last security issue acknowledged. #endif diff --git a/src/main/mainconfig.c b/src/main/mainconfig.c index cbc0d6b646d..6d424fd53a3 100644 --- a/src/main/mainconfig.c +++ b/src/main/mainconfig.c @@ -163,6 +163,7 @@ static const CONF_PARSER security_config[] = { { "reject_delay", FR_CONF_POINTER(PW_TYPE_TIMEVAL, &main_config.reject_delay), STRINGIFY(0) }, { "status_server", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.status_server), "no"}, { "require_message_authenticator", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.require_ma), "yes"}, + { "limit_proxy_state", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.limit_proxy_state), "yes"}, #ifdef ENABLE_OPENSSL_VERSION_CHECK { "allow_vulnerable_openssl", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.allow_vulnerable_openssl), "no"}, #endif