Sign in with Microsoft
Sign in or create an account.
Hello,
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

Important Certain versions of Microsoft Windows have reached the end of support. Note that some versions of Windows may be supported past the latest OS end date when Extended Security Updates (ESUs) are available. See Lifecycle FAQ - Extended Security Updates for a list of products offering ESUs.

Contents

Summary

This update addresses a security vulnerability in the Remote Authentication Dial-In User Service (RADIUS) protocol related to MD5 collision problems. Because of weak integrity checks in MD5, an attacker might tamper with packets to gain unauthorized access. MD5 vulnerability makes User Datagram Protocol (UDP) based RADIUS traffic over the Internet nonsecure against packet forgery or modification during transit. 

For more information about this vulnerability, see CVE-2024-3596 and the whitepaper RADIUS AND MD5 COLLISION ATTACKS.

NOTE This vulnerability requires physical access to the RADIUS network and the Network Policy Server (NPS). Therefore, customers who have secured RADIUS networks are not vulnerable. Additionally, the vulnerability does not apply when RADIUS communication occurs over VPN. 

Take action

To help protect your environment, we recommend enabling the following configurations. For more information, see the Configurations section.

  • Set the Message-Authenticator attribute in Access-Request packets.

    Make sure all Access-Request packets include the Message-Authenticator attribute.

  • Verify the Message-Authenticator attribute in Access-Request packets.

    Consider enforcing validation of the Message-Authenticator attribute on Access-Request packets. Access-Request packets without this attribute will not be processed.

  • Verify the Message-Authenticator attribute in Access-Request packets if the Proxy-State attribute is present.

    Optional: Enable the limitProxyState configuration if enforcing validation of the Message-Authenticator attribute on Access-Request packets cannot be performed. This configuration will validate that Access-Request packets containing the Proxy-State attribute also contain the Message-Authenticator attribute.

  • Verify the Message-Authenticator attribute in RADIUS response packets: Access-Accept, Access-Reject and Access-Challenge.

    Enable the requireMsgAuth configuration to enforce dropping the RADIUS response packets from remote servers that lack the Message-Authenticator attribute.

Events added by this update

For more information, see the Configurations section. 

The Access-Request packet was dropped because it contained the Proxy-State attribute but lacked the Message-Authenticator attribute. Consider changing the RADIUS client to include the Message-Authenticator attribute. Or, alternatively, add an exception for the RADIUS client by using the limitProxyState configuration.

Event log

System

Event type

Error

Event source

NPS

Event ID

4418

Event text

An Access-Request message was received from RADIUS client <ip/name> containing a Proxy-State attribute, but it did not include a Message-Authenticator attribute. As a result, the request was dropped. The Message-Authenticator attribute is mandatory for security purposes. See https://support.microsoft.com/help/5040268 to learn more. 

This is an audit event for Access-Request packets without the Message-Authenticator attribute in presence of Proxy-State. Consider changing the RADIUS client to include the Message-Authenticator attribute. The RADIUS packet will be dropped once the limitproxystate configuration is enabled.

Event log

System

Event type

Warning

Event source

NPS

Event ID

4419

Event text

An Access-Request message was received from RADIUS client <ip/name> containing a Proxy-State attribute, but it did not include a Message-Authenticator attribute. The request is currently allowed since the limitProxyState is configured in Audit mode. See https://support.microsoft.com/help/5040268 to learn more. 

This is an Audit event for RADIUS response packets received without the Message-Authenticator attribute at the proxy. Consider changing the specified RADIUS server for the Message-Authenticator attribute. The RADIUS packet will be dropped once the requiremsgauth configuration is enabled.

Event log

System

Event type

Warning

Event source

NPS

Event ID

4420

Event text

The RADIUS Proxy received a response from server <ip/name> with a missing Message-Authenticator attribute. Response is currently allowed since the requireMsgAuth is configured in Audit mode. See https://support.microsoft.com/help/5040268 to learn more.

This event is logged during service start when the recommended settings are not configured. Consider enabling the settings if the RADIUS network is unsecure. For secure networks, these events can be ignored.

Event log

System

Event type

Warning

Event source

NPS

Event ID

4421

Event text

RequireMsgAuth and/or limitProxyState configuration is in <Disable/Audit> mode. These settings should be configured in Enable mode for security purposes. See https://support.microsoft.com/help/5040268 to learn more.

Configurations

This configuration enables the NPS Proxy to start sending the Message-Authenticator attribute in all Access-Request packets. To enable this configuration, use one of the following methods.

Method 1: Use the NPS Microsoft Management Console (MMC)

To use the NPS MMC, follow these steps:

  1. Open the NPS user interface (UI) on the server.

  2. Open the remote Radius Server Groups.

  3. Select Radius Server.

  4. Go to Authentication/Accounting.

  5. Click to select the The request must contain the Message-Authenticator attribute checkbox.

Method 2: Use the netsh command

To use netsh, run the following command:

netsh nps set remoteserver remoteservergroup = <server group name> address = <server address> requireauthattrib = yes

For more information, see Remote RADIUS Server Group Commands.

This configuration requires the Message-Authenticator attribute in all Access-Request messages and drops the packet if absent.

Method 1: Use the NPS Microsoft Management Console (MMC)

To use the NPS MMC, follow these steps:

  1. Open the NPS user interface (UI) on the server.

  2. Open Radius Clients.

  3. Select Radius Client.

  4. Go to Advance Settings.

  5. Click to select the Access-Request messages must contain the message-authenticator attribute checkbox.

For more information, see Configure RADIUS Clients.

Method 2: Use netsh command

To use netsh, run the following command:

netsh nps set client name = <client name> requireauthattrib = yes

For more information, see Remote RADIUS Server Group Commands.

This configuration enables the NPS server to drop potential vulnerable Access-Request packets that contain a Proxy-State attribute, but do not include a Message-Authenticator attribute. This configuration supports three modes:

  • Audit

  • Enable

  • Disable

In Audit mode, a warning event (Event ID: 4419) is logged, but the request is still processed. Use this mode to identify the non-compliant entities sending the requests.

Use the netsh command to configure, enable, and add an exception as needed.

  1. To configure clients in Audit mode, run the following command:

    netsh nps set limitproxystate all = "audit"

  2. To configure clients in Enable mode, run the following command:

    netsh nps set limitproxystate all = "enable" 

  3. To add an exception to exclude a client from limitProxystate validation, run the following command:

    netsh nps set limitproxystate name = <client name> exception = "Yes" 

This configuration enables NPS Proxy to drop potentially vulnerable response messages without the Message-Authenticator attribute. This configuration supports three modes:

  • Audit

  • Enable

  • Disable

In Audit mode, a warning event (Event ID: 4420) is logged, but the request is still processed. Use this mode to identify the non-compliant entities sending the responses.

Use the netsh command to configure, enable, and add an exception as needed.

  1. To configure servers in Audit mode, run the following command:

    netsh nps set requiremsgauth all = "audit"

  2. To enable configurations for all servers, run the following command:

    netsh nps set limitproxystate all = "enable"

  3. To add an exception to exclude a server from requireauthmsg validation, run the following command:

    netsh nps set requiremsgauth remoteservergroup = <remote server group name> address = <server address> exception = "yes"

Frequently asked questions

Check NPS module events for related events. Consider adding exceptions or configuration adjustments for affected clients/servers.

No, the configurations discussed in this article are recommended for unsecured networks. 

References

Description of the standard terminology that is used to describe Microsoft software updates

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. We make no warranty, implied or otherwise, about the performance or reliability of these products.

We provide third-party contact information to help you find technical support. This contact information may change without notice. We do not guarantee the accuracy of this third-party contact information.

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!

×