Message-Authenticator Check Use Cases

The following scenarios document the use cases for configuring the Request Message Authenticator flag to check for the Message-Authenticator attribute in RADIUS packets. This flag is configurable when defining the following:

• External Radius server for AP/OmniSwitch (No UPAM)
• UPAM as Proxy between AP/OmniSwitch and External Radius

External Radius Server for AP/OmniSwitch (No UPAM)

An Access Point or OmniSwitch sends RADIUS AAA requests directly to a RADIUS server (on-premises or hosted elsewhere); UPAM is not involved in this scenario.

Access Point RADIUS Packets:

• OmniVista configures the AAA RADIUS settings on the AP or OmniSwitch through the AAA Server Profile.
• The Require Message Authenticator flag in the AAA Server configuration on an Access Point influences the behavior of APs running AWOS >= 5.0.2 when accepting RADIUS response packets from the specified RADIUS server.
  • When enabled, the AP enforces that the RADIUS response packet from the RADIUS server includes the Message-Authenticator attribute; otherwise, it drops the response packet.
  • When disabled—or for APs running AWOS < 5.0.2—the AP does not verify the Message-Authenticator attribute in RADIUS responses from any RADIUS server.
• Access Points always send the Message-Authenticator attribute in RADIUS requests, regardless of the AWOS version or the Require Message Authenticator setting (enabled or disabled). It is up to the RADIUS server whether to check for the Message-Authenticator attribute in the RADIUS request packets received from the AP.

OmniSwitch RADIUS Packets:

By default,

• The OmniSwitch does not send the Message-Authenticator attribute in RADIUS requests.
• The OmniSwitch does not check for the Message-Authenticator attribute in RADIUS responses.

To ensure that the OmniSwitch includes the Message-Authenticator in all RADIUS packets sent and also enforces validation of the Message-Authenticator attribute in all responses received from any RADIUS server, use the aaa radius message-authenticator CLI command on the switch. This CLI command is a global command supported on AOS 8.10R2 or higher. Note that you can also issue this command using the OmniVista CLI Scripting application.

Notes:

• The Require Message Authenticator flag is not supported on TLS-enabled RADIUS servers; therefore, not configurable when TLS is enabled.
• Default settings for the Require Message Authenticator flag:
  • Enabled when a new RADIUS server is created (TLS is disabled).
  • Enabled for the "UPAMRadiusServer" on a fresh OmniVista installation.
  • Disabled for a RADIUS server that already existed when OmniVista was upgraded from release 4.9R1 to 4.9R2. If the flag is then enabled on 4.9R2, the status is retained on subsequent OmniVista release upgrades.
  • Disabled for a TLS-enabled RADIUS server (Require Message Authenticator flag not available).
• Enabling the Require Message Authenticator flag is highly recommended to prevent attempts to forge authentication responses by spoofing UDP-based RADIUS response packets.

UPAM as Proxy between AP/OmniSwitch and External Radius

UPAM proxies incoming RADIUS requests from an Access Point or OmniSwitch to an external RADIUS server.

• When the Require Message Authenticator flag is enabled for the external RADIUS server, UPAM checks for the Message-Authenticator attribute in response packets received from the external RADIUS server. UPAM will then drop any response packets that do not contain the Message-Authenticator attribute but will continue to send RADIUS request packets to the external RADIUS Server for the specified number of Retries.
• When the Require Message Authenticator flag is disabled for the external RADIUS server, UPAM does not check for the Message-Authenticator attribute in RADIUS response packets.

Note that UPAM always includes the Message-Authenticator attribute in RADIUS request packets sent to the external server, regardless of the Require Message Authenticator setting (enabled or disabled). It is up to the external RADIUS Server whether to check for the Message-Authenticator attribute in RADIUS request packets received from UPAM.

The default settings for the Require Message Authenticator flag for external RADIUS servers are as follows:

• Enabled when a new external RADIUS server is created.
• Disabled for an external RADIUS server that already existed when OmniVista was upgraded from release 4.9R1 to 4.9R2. If the flag is then enabled on 4.9R2, the status is retained on subsequent OmniVista release upgrades.

Enabling the Require Message Authenticator flag is highly recommended to prevent attempts to forge authentication responses by spoofing UDP-based RADIUS response packets.