If OneSpan Authentication Server is part of a RADIUS environment, you should take some security considerations into account to enhance protection of authentication processes between OneSpan Authentication Server and the RADIUS client and/or RADIUS server.
Strong shared secrets
Do select strong shared secrets between OneSpan Authentication Server and the RADIUS client and/or the RADIUS server to reduce the risk of a security breach. In addition, use different shared secrets where multiple RADIUS clients/RADIUS servers are in place.
Internet Protocol Security (IPsec)
To protect authentication data being sent over the network, we recommend to set up IPsec on each RADIUS client/RADIUS server. With this, network traffic between OneSpan Authentication Server and the RADIUS client and/or RADIUS server is authenticated and encrypted at the IP layer.
Message-Authenticator attribute validation
The Message-Authenticator RADIUS attribute (according to RFC 2869) is used to sign access requests to prevent request spoofing. OneSpan Authentication Server always includes Message-Authenticator attributes in all outgoing Access response packets.
Additionally, you can configure OneSpan Authentication Server to always strictly validate Message-Authenticator attributes of incoming packets. When OneSpan Authentication Server receives an Access-Request packet from a RADIUS client or a response packet from a RADIUS back-end server with a Message-Authenticator attribute, it calculates the correct value of it and discards the packet if it does not match the value sent.
This attribute validation helps to mitigate a forgery vulnerability in the RADIUS protocol commonly referred to as Blast-RADIUS (see www.blastradius.fail). By default, this setting is enabled for all RADIUS endpoints (client components, back-end servers), and you should keep it enabled whenever possible.