Incorrect RADIUS client behavior on USG devices
Freshman Member
We’ve been running several USG devices (110 and 210) without issues for years but recently discovered few issues that seem are persisting on newest FLEX H devices as well.
RADIUS Framed-MTU Issue
The Zyxel RADIUS client (AAA Server) hardcodes Framed-MTU=1400, which is incorrect and not configurable (Microsoft recommendation: 1344, Cisco value: 1002)
This results in attempt to send 1514-byte RADIUS packet, which cannot be properly fragmented and fails reassembly, breaking authentication.
EAP-TLS fails entirely, while MSCHAPv2 works (since it doesn’t rely on large payloads).
RADIUS Accounting Fails Completely
Despite having port 1813 correctly configured, there is zero RADIUS accounting traffic from the USG.
No packets are sent on any interface, making accounting non-functional.
The reason why EAP-TLS is very important is the native Windows VPN client (all versions). By design, it is impossible to arbitrary set a Peer Id there in case of EAP-MSCHAP authentication. In this case it's always set as caller-IP what makes impossible to explicitly set a client Peer Id on USG, so it should be set to "any". This significantly broader attack surface and makes RADIUS server vulnerable to brute force/DDoS. The only option to mitigate this vulnerability is to use EAP-TLS so Peer Id in Windows client becomes dependent from certificate CN, so makes it possible to setup static Peer Id on USG.
The issue was already reported:
Categories
- All Categories
- 415 Beta Program
- 2.5K Nebula
- 157 Nebula Ideas
- 106 Nebula Status and Incidents
- 5.9K Security
- 327 USG FLEX H Series
- 286 Security Ideas
- 1.5K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 42 Wireless Ideas
- 6.6K Consumer Product
- 257 Service & License
- 400 News and Release
- 86 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.8K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 87 About Community
- 78 Security Highlight
