Protect against security risks and NPS connection failures that affect RADIUS server environments

Originally posted by Microsoft Aug 19, 2024 Uncategorized 0 Comments

A security risk exists in the Remote Authentication Dial-In User Service (RADIUS) protocol. MD5 collision problems affect User Datagram Protocol or UDP-based RADIUS traffic over the internet. Data packets are at risk of forgery or changes to them during transit. To learn more, see KB5040268.

As of July 9, 2024, Windows updates support the Message-Authenticator attribute in Access-Request packets. The new RADIUS standards mandate this change.
However, if you install the July 2024, or later, updates, Network Policy Server (NPS) connection failures can happen. This update does not cause these connection failures. This only occurs if your company’s firewall or RADIUS solution does not support this attribute. To learn more, see KB5043417.
We recommend that you enable the Message-Authenticator attribute in Access-Request packets. Doing this addresses this NPS issue and the security risk.
 
When will this happen: 
As of July 9, 2024, you now have more information to address this NPS issue and security risk in your environment.
 
How this will affect your organization: 
The security risk requires physical access to both the RADIUS network and the NPS. Also, it does not apply when RADIUS traffic goes over a VPN. By making one or more of the changes below, you can enhance the security of UDP-based RADIUS traffic. You can also avoid NPS connection failures.
What you need to do to prepare: 
To help protect your environment, we recommend that you enable the following:
  • Set the Message-Authenticator attribute in Access-Request packets. Make sure all Access-Request packets include the Message-Authenticator attribute. By default, the Message-Authenticator attribute is turned off. We recommend turning this option on.
  • Verify the Message-Authenticator attribute in Access-Request packets. Consider enforcing validation of the Message-Authenticator attribute on Access-Request packets. Access-Request packets without this attribute will not be processed. By default, the Access-Request messages must contain the message-authenticator attribute option is turned off. We recommend turning this option on.
  • Verify the Message-Authenticator attribute in Access-Request packets if the Proxy-State attribute is present. Optionally, enable the limitProxyState configuration if enforcing validation of the Message-Authenticator attribute on Access-Request packets cannot be performed. This configuration will validate that Access-Request packets containing the Proxy-State attribute also contain the Message-Authenticator attribute. By default, the limitproxystate attribute is turned off. We recommend turning this attribute on.
  • Verify the Message-Authenticator attribute in RADIUS response packets: Access-AcceptAccess-Reject, and Access-Challenge. Enable the requireMsgAuth configuration to enforce dropping the RADIUS response packets from remote servers that lack the Message-Authenticator attribute. By default, the requiremsgauth attribute is tuned off. We recommend turning this attribute on.
You can find detailed guidance on applying these in KB5040268. See the Additional information section below.
Additional information: 
For more information about this security risk and NPS issue, see:

Message ID: MC863964

Comments are closed.

Joao Ferreira

I've been working with Microsoft Technologies over the last ten years, mainly focused on creating collaboration and productivity solutions that drive the adoption of Microsoft Modern Workplace.

%d bloggers like this: