Clearpass Radius Auth Check

[uc-vel]

Hello All,

Could you please help me with this ?
We have a Radius server running in Clearpass and we have configured a Nagios plugin to do a Radius authentication which was working fine. As part of mitigation to a recent security vulnerability (CVE-2024-3596) we have modified these parameter under the security header at Clearpass end.

Require Message-Authenticator from NAD = yes
Require Message-Authenticator from Proxy Server = yes

Ref: https://support.hpe.com/hpesc/public/do ... cale=en_US

After the above change, the Nagios check is broken and the event log at Clearpass end says that "Failed to decode RADIUS packet - Received packet from <Nagios_Server> without Message-Authenticator".

Below is the Nagios plugin we were using it and it was working fine until the above change.

https://exchange.nagios.org/directory/P ... us/details

Could you please help if anyone had this situation and able to fix this with a new plugin that sends access request to include the message authenticator value

Thanks in advance !!!

[lgute]

Hi @uc-vel, thanks for reaching out.

The best way to troubleshoot plugins is to run them in the terminal/console. That way you can try changing settings until you find the combination that works. Once you have it working in the terminal, you can update the configuration for the check.

From the security bulletin, it sounds like the authentication for your Radius server was getting by-passed, so the first obvious things to check would be that the username and password are correct.

[uc-vel]

Hi @Igute, thanks for your response.

Yes, I have tried different plugins from the terminal, but nothing worked. It seems that either no suitable plugins are available for this check, or I couldn't find the right one.

Now, I am trying with the wpa_supplicant tool.

Thanks!