Help Center Home > Manage Insecure RADIUS Protocols

Manage Insecure RADIUS Protocols

Blast-RADIUS is a vulnerability inherent in the RADIUS authentication protocols PAP and MS-CHAP that can compromise the security of your network. This vulnerability exploits unencrypted, non-TLS-based protocols such as PAP and MS-CHAPv2 which are vulnerable to brute force and man-in-the-middle (MiTM) cyberattacks.

Warning:

Unless you are configuring RADIUS MFA for VPN, JumpCloud discourages using using non-TLS-based RADIUS protocols and instead recommends using TLS-based authentication protocols (PEAPv0/MS-CHAPv2, EAP-TTLS/PAP, and EAP-TLS).

Identifying Insecure Protocols

  1. Log in to the JumpCloud Admin Portal.
  2. Go to INSIGHTS > Directory Insights
  3. In the Event Type filter, select radius_auth_attempt.
  4. Search for PAP vulnerabilities:
    1. In the Search bar, enter “PAP” and run a report.
    2. Click export and then export the report as a JSON file.
    3. Inspect the JSON file and search for “auth_type”: ”PAP”.
  5. Search for MS-CHAP vulnerabilities:
    1. In the Search bar, enter “MS-CHAP” and run a report.
    2. Click export and then export the report as a JSON file.
    3. Inspect the JSON file and search for “auth_type”: ”MS-CHAP”.

Note:

When looking through the JSON file to find insecure protocol types, make sure you look for the auth_type, and ignore the eap_type.

  1. If you identify insecure protocols in your device fleet, please switch to the secure TLS-based RADIUS authentication protocols (PEAPv0/MS-CHAPv2, EAP-TTLS/PAP, and EAP-TLS).

Important:

Any resulting non-TLS PAP or MS-CHAP authentication types are indicative of insecure protocols and should be switched to TLS-based RADIUS authentication protocols as soon as possible. 

Managing Insecure Protocols

Block Insecure Protocols

You can use the JumpCloud Admin Portal to restrict insecure RADIUS authentication protocols from being used on any future network configurations. 

To block insecure RADIUS protocols: 

  1. Log in to the JumpCloud Admin Portal.
  2. Go to USER AUTHENTICATION > RADIUS.
  3. Select the RADIUS network configuration you want to change. The RADIUS details tab displays.
  4. Click the Authentication tab. 
  5. Select Require secure protocols to restrict the use of non-TLS-based network authentication protocols.
  6. Click Save.

Mitigate Risk Using Insecure Protocols

If your integration or equipment only supports insecure, non-TLS-based legacy protocols, use Directory Insights to try and mitigate your risk by monitoring RADIUS access and enforcing the following security measures for all users:

  • Require multi-factor authentication (MFA) enrollment for accessing the User Portal.
  • Ensure users are enrolled in MFA.
  • Enable a password policy with a regular rotation interval. 

Note:

JumpCloud does not recommend using MFA with RADIUS, especially for WiFi configurations. The recommendation for MFA enrollment is intended for use of non-RADIUS resources such as securing the User Portal.

For more information, see 

Back to Top

List IconIn this Article

Notebook IconLearn More

Get Started: RADIUS

FAQ: RADIUS

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case