Overview

Ruckus ICX switches may send RADIUS Access-Request packets without the Message-Authenticator attribute during MAC authentication. The rXg (via FreeRADIUS) rejects these packets as insecure, causing MAC-AUTH to fail for all wired clients behind the ICX. This is related to the BlastRADIUS vulnerability mitigation (requiring Message-Authenticator on all RADIUS packets).

Problem / Question

• MAC-AUTH failing for wired clients connected to ICX switch ports
• ICX does not show the MAC address of devices connected to MAC Auth ports
• TCPDUMP of RADIUS traffic shows the switch is making Access-Request packets, but the rXg ignores them

• RADIUS debug logs show:

  Receive - Insecure packet from host 10.100.1.236:  Packet does not contain required Message-Authenticator attribute.  You may need to set "require_message_authenticator = no" in the configuration.
  

Root Cause

The Ruckus ICX firmware does not include the RADIUS Message-Authenticator attribute in MAC-AUTH packets. The rXg's default behavior (Auto) requires this attribute as a mitigation against BlastRADIUS (man-in-the-middle) attacks, so it drops packets that lack it.

As of Ruckus case 01945490, Ruckus confirmed no current ICX firmware supports this attribute. A future firmware release (RDR01010) is expected to address this, with an estimated release in July/August timeframe.

Resolution

1. Navigate to Services >> RADIUS >> RADIUS Server Options >> Global Behavior >> Require Message Authenticator
2. Change from Auto to No

Note: This disables a BlastRADIUS mitigation. Re-enable once the ICX firmware is updated to include Message-Authenticator in RADIUS packets.