Computer and IT knowledge - things to know - All
if you see in freeradius server log file message like that:
Wed Nov 12 09:05:10 2025 : Error: It looks like the client has been updated to protect from the BlastRADIUS attack.
Wed Nov 12 09:05:10 2025 : Error: Please set "require_message_authenticator = true" for client 172.23.99.110
Wed Nov 12 09:05:10 2025 : Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>> the solution would be solution, to force the "require_message_authenticator" attribute in the client file, it should look like that:
client 172.23.99.110 {
ipaddr = 172.23.99.110
secret = your shared secret
require_message_authenticator = yes
}
see also:
- https://airheads.hpe.com/blogs/agallnx/2024/12/11/nac-and-blast-radius-what-you-need-to-know
================================================================================
background to BlastRadius attack:
**BlastRADIUS problem:** During high-volume testing, it can overload the RADIUS server, causing many error messages and performance issues.
**Authenticator solution:** Implementing an **authenticator** (like a shared secret or a specific verification step) ensures only legitimate requests are processed, reducing unnecessary load and errors.
**Technical solution:** The fix involves adding a secure verification layer—such as validating request signatures or tokens—before processing, which filters out invalid or malicious requests and stabilizes server performance.
The Message-Authenticator attribute is also an important part of the technical solution.
Technical solution (expanded): According to RFC 3579, the Message-Authenticator attribute (Type 80) is used to ensure the integrity and authenticity of RADIUS messages. Implementing this attribute involves computing a HMAC-MD5 hash over the entire message, including the attribute itself, using the shared secret.
By validating the Message-Authenticator attribute, the server can verify that incoming requests are genuine and unaltered, which helps prevent spoofed or malicious requests from overloading the server. This adds an extra layer of security and reliability, especially during high-volume testing, thereby reducing errors and improving overall stability.
Summary: The combined use of the Message-Authenticator attribute, along with RFC 2865 attributes like NAS-IP-Address or NAS-Identifier, and a shared secret, forms a robust authentication mechanism to mitigate the BlastRADIUS problem during heavy loads.
**When available:** This improvement has been in use since around 2020. computer2know :: thank you for your visit :: have a nice day :: © 2025