RADIUS Protocol Spoofing Vulnerability Mitigation (CVE-2024-3596)

22 gen. 2026 - RADIUS Protocol Spoofing Vulnerability Mitigation (CVE-2024-3596) Introduction On July 9, 2024, security researchers disclosed the following high-severity vulnerability in the RADIUS protocol: CVE-2024-3596, also known as the Blast-RADIUS vulnerability. This vulnerability allows attackers to spoof RADIUS response packets through man-in-the-middle attacks, modifying any valid authentication response (such as "Access-Accept", "Access-Reject", or "Access-Challenge") into arbitrary responses, thereby bypassing the authentication mechanism and gaining network access. Vulnerability Overview Vulnerability Name RADIUS Protocol Spoofing Vulnerability CVE Number CVE-2024-3596 Vulnerability Type Forgery, MITM Discovery Time 2024-07-09 Attack Vector Network Vulnerability Level High Severity The RADIUS protocol is used to transmit user authentication, authorization, and accounting information between a network access server (NAS) and an Authentication, Authorization, and Accounting (AAA) server. It verifies the user's identity through communication between the client and the server and determines whether the user has the right to access network resources. There is a vulnerability in the RADIUS protocol that allows attackers to forge responses when the Message-Authenticator attribute is not enforced. This issue is due to the use of MD5 for cryptographic integrity checks, enabling attackers to forge UDP-based RADIUS response packets. This may lead to unauthorized access by modifying an Access-Reject response to an Access-Accept response, thereby compromising the security of the process. Scope of Impact The impact of this vulnerability depends on the mix of RADIUS client, RADIUS server, and transport protocol. Successful exploitation of this vulnerability can lead to privilege escalation and identity impersonation on the affected system. Potentially Affected: Systems that use the RADIUS network authentication protocol without enabling the Extensible Authentication Protocol (EAP) authentication method RADIUS servers that have not globally enforced Message-Authenticator validation on received requests The transmission message does not carry the Message-Authenticator field Unaffected: EAP-based 802.1X Authentication Protected over TLS Require Message-Authenticator attribute from every server-client response Safety Measures Measure 1: Emergency Mitigation This is the fastest and most important protection measure, with the focus on protecting the RADIUS communication channel. 1. Implement network isolation and access control: Strictly limit the IP addresses of network devices (switches) that can communicate with the RADIUS server. On the firewall or switch ACL, only RADIUS port communication between switches within the specified network management VLAN and the RADIUS server is allowed, and all other sources of access are denied. 2. Encrypted Transmission Channel: Establish IPsec VPN tunnels between all switches and the RADIUS server. This will effectively prevent man-in-the-middle attacks, as all traffic is encrypted and authenticated. If supported by the RADIUS server and client, use RADIUS over TLS (RadSec), which uses TCP and TLS encryption. Measure 2: Strengthen Monitoring and Detection 1. Network Behavior Anomaly Monitoring: Deploy a Network Detection and Response (NDR) system to monitor whether any device attempts authentication during non-working hours or from an abnormal location. 2. Log Audit: Centralized collection and analysis of logs from switches and security devices, focusing on whether authentication success events are consistent with RADIUS server logs, and whether there are abnormal patterns of sudden success after a large number of authentication failures. Solutions Note: To effectively mitigate this attack, we recommend implementing the following security measures. All measures except item 3 can be deployed immediately within your current environment. 1. Upgrade RADIUS Server: Immediately upgrade your RADIUS server (such as FreeRADIUS) to a patched version. 2. Mandatory Message-Authenticator Attribute: On the patched RADIUS server, configure the Message-Authenticator attribute to be used for all types of RADIUS requests. This attribute uses the more secure HMAC-MD5 mechanism, which can effectively defend against such attacks. Verification Principle: The RADIUS request sent by the client to the verification server must include the Message-Authenticator attribute. If this attribute is not included, the verification server will silently discard the request. If this attribute is included, the transaction will be verified, and the Message-Authenticator attribute will be sent in the RADIUS response. image.png 3. Check and update the switch firmware : Note: FS will enhance the security of all switch devices to avoid the risk of Radius vulnerabilities. Users can obtain the latest firmware version (the security-enhanced version will be provided upon release) on the front end of the corresponding product. Use the new version of the switch firmware update to include the Message-Authenticator field, enhancing the security of its RADIUS client and providing better compatibility. The following is a packet capture example of an Access-Request that includes the Message-Authenticator attribute: 589e0d17-aa54-41ee-8083-2d7efa67048b.jpg 4. TLS/DTLS encryption protects the communication between the RADIUS client and server: TLS (Transport Layer Security Protocol): It is an encrypted Communication Protocol based on TCP. Its core principle is to establish a reliable connection through a three-way handshake, complete identity authentication and key negotiation based on digital certificates during the handshake phase, and generate a unique session key. Subsequently, all application layer data (such as RADIUS data packets) will be encapsulated by the TLS record protocol, encrypted using strong encryption algorithms such as AES, and guaranteed data integrity through modern hashing algorithms such as HMAC-SHA256. The advantage of TLS is its high reliability, built-in retransmission mechanism to ensure that data is not lost, and it is suitable for enterprise network environments with high stability requirements. Note: TLS handshake requires multiple round trips and may introduce a delay of several tens of milliseconds. image.png DTLS (Datagram Transport Layer Security Protocol): It is the UDP version of TLS, designed specifically for connectionless and latency-sensitive scenarios. Its principle is similar to TLS, providing encryption, authentication, and integrity protection, but optimized for the characteristics of UDP: using sequence numbers and replay window mechanisms to prevent data packet replay attacks, supporting data packet loss and out-of-order processing, and simplifying the handshake process to reduce latency. DTLS retains the security features of TLS while adapting to the original UDP transmission method of the RADIUS protocol, suitable for wireless networks, high latency, or environments that require traversing NAT. 5. Network Isolation and Secure VPN Tunnel Communication: Where possible, network isolation and secure VPN tunnel communication should be enforced for the RADIUS protocol to restrict access to these network resources from untrusted sources.

S5850-16T16BS2Q Switch FSOS Software Release Notes

21 gen. 2026 - For details, please click the attachment icon below to view or download for a good reading experience or resources.

S5850-16T16BS2Q Switch FSOS V7.5.4.r2 Software

21 gen. 2026 - For details, please click the attachment icon below to view or download for a good reading experience or resources.

31 ott. 2025 - For details, please click the attachment icon below to view or download for a good reading experience or resources.

21 ott. 2025 - For details, please click the attachment icon below to view or download for a good reading experience or resources.

S3950 and S5800 and S5850 and S8050 and S8550 Series Switches Web Management Guide

27 set. 2025 - For details, please click the attachment icon below to view or download for a good reading experience or resources.

S5850 Series Switches Data sheet

06 set. 2025 - Product overview FS S5850 series switches are high performance Ethernet switches to meet next generation Metro, Data Center and Enterprise network requirements, which support L2/L3/IPv6/Data Center/Metro features. The S5850 Series Switches come with complete system software with comprehensive protocols and applications to facilitate rapid service deployment and management for both traditional L2/L3 networks and Data Center networks. S5850-48T4Q features an advanced hardware design combined with 48x 100/1000M/5G/10GBASE-T ports and 4x 40Gb ports. This 10GBASE-T switch offers backwards compatibility with installed Ethernet cabling and standard RJ-45 connectors. The switch comes with the complete system software with comprehensive protocols and applications to facilitate the rapid service deployment and management for traditional Layer 2 and Layer 3 networks. Offering high-performance, high port density, and low latency, S5850-48T4Q is well-suited to both the core and aggregation layers, enabling to meet data centers, carriers and enterprise network requirements. S5850-48S6Q is a high-performance Layer 3 Leaf switch with 48x 10Gb SFP+ access ports and 6x 40Gb QSFP+ ports in a compact 1U form factor. The switch delivers rich layer 2 and layer 3 features with wire speed performance up to a maximum performance of 1.44 Tbps. Supporting advanced features, including MLAG, VXLAN, IPv4/IPv6, SFLOW, SNMP etc., this switch meets the next generation Metro and enterprise network requirements, and it is also ideal for traditional or fully virtualized data center. S5850-48S6Q-R is a high-performance Layer 3 Leaf switch with 48x 10Gb SFP+ access ports and 6x 40Gb QSFP+ ports in a compact 1U form factor. The switch delivers rich layer 2 and layer 3 features with wire speed performance up to a maximum performance of 1.44 Tbps. This switch supports rich features, including redundant hot-swappable power supplies and fans, MLAG, VXLAN, IPv4/IPv6, sFlow, SNMP, etc. to meet the requirements of next-generation Enterprise, Data Center, Metro and HCI (Hyper-Converged Infrastructure) networks. S5850-48B8C 48-port 10Gb Ethernet layer 3 switch features 48x 25G downlinks and 8x 100G QSFP28 uplinks. The switch can deliver 4 Tbps switching capacity and 2976 Mpps forwarding rate. The S5850-48S8C 48-port 10Gb Ethernet layer 3 switch features 48x 10G downlinks and 8x 100G QSFP28 uplinks. The switch can deliver 2.56 Tbps switching capacity and 1905 Mpps forwarding rate. S5850-48B8C and S5850-48S8C are packed with redundant hot-swappable power supplies, hot-swappable smart fans and hardware-level dual-flash chip for superior processing performance and network reliability. These managed switch are ideal for enterprise network private cloud TOR, date center TOR, operator PE to meet the needs of high-speed, safe, intelligent enterprise networks. S5850-48XMG8C is a high-performance switch featuring 48x 100M/1G/2.5G/5G/10GBASE-T ports and 8x 100G QSFP28 uplinks (split to 4x 10/25G), providing 2.56 Tbps switching capacity and 1904 Mpps forwarding rate. It is equipped with 1+1 redundant hot-swappable power supplies and 4 hot-swappable smart fans ensuring high availability and optimal cooling. Supporting MACsec encryption, EVPN-VXLAN, MLAG, PTP v2, LACP, and more, this switch is engineered to deliver secure, scalable, and resilient networking solutions. It is ideal for medium to large campus distribution/access, small campus/branch office core, and data center ToR/EoR deployments. S5850-24S2Q layer 3 switch features 24x 1Gb/10Gb and 2x 40Gb QSFP+ ports, providing the flexibility to support mixed 1Gb, 10Gb and 40Gb environments. This managed enterprise switch delivers 640 Gbps switching capacity with rich layer 2 and layer 3 features. Delivering wire-speed performance on every port, full device redundancy, support L3 routing protocols such as RIP, OSPF, BGP, a comprehensive security and QoS feature set, the S5850-24S2Q is ideal for large-scale campus network aggregations, small and medium-sized network cores. S5850-24S2C is a high-performance Layer 3 Ethernet switch with 24x 1/10Gb SFP+ and 2x 40/100Gb QSFP28 ports in a compact 1U form factor. The switch comes with complete system software, comprehensive protocols and applications to facilitate the rapid service deployment and management for traditional Layer 2 and Layer 3 networks. It is ideally designed for demanding workloads. Supporting advanced features, including MLAG, EVPN, SR-MPLS, VXLAN, IPv4/IPv6, sFLOW, SNMP etc., this switch meets the next generation Metro and enterprise network requirements, and it is also ideal for traditional or fully virtualized data center. S5850-24T16B is a high-performance Layer 3 Ethernet routing switch with 24x 10/100/1000BASE-T RJ45 and 16x 10Gb SFP+/25Gb SFP28 ports in a compact 1U form factor. Based on FSOS system software, it supports full L3 routing protocol (OSPF, BGP, and ISIS), multiple IPv4/IPv6 tunnel technique, data center DCB features (PFC/ECN/ETS) and MLAG etc. With its diverse set of deployment options, including fabric, Layer 3, as well as spine and leaf, the switch is ideal for next generation enterprise, data center, Metro and HCI (Hyper-Converged Infrastructure) networks. S5850-24XMG features 24x 10/100/1000M/2.5G/5G/10GBASE-T ports and 2x 100Gb ports. This 10GBASE-T switch offers backwards compatibility with installed Ethernet cabling and standard RJ-45 connectors. The switch comes with the complete system software with comprehensive protocols and applications to facilitate the rapid service deployment and management for traditional Layer 2 and Layer 3 networks. Offering high-performance, high port density, and low latency, S5850-24XMG is well-suited to both the core and aggregation layers, enabling to meet requirements of next generation enterprise, Wi-Fi 6 Access, Metro and HCI (Hyper Converged Infrastructure) networks. S5850-24XMG-U is equipped with 24x 10/100/1000M/2.5G/5G/10GBASE-T ports and 2x 100Gb ports. 24x portsRJ45 support both IEEE 802.3af/at/bt (up to 90W per port) for powering attached IP phones, wireless access points, or other standards-compliant PoE, PoE+, and PoE++ end network devices. In addition, the 2x 100G QSFP28 ports, can provide high-speed uplink and server/storage/high-performance workstation connectivity.Offering high performance, high port density, and low latency, S5850-24XMG-U is well-suited to both the core and aggregation layers, enabling it to meet the requirements of the next-generation enterprise, Wi-Fi 6 Access, Metro, and HCI (Hyper-Converged Infrastructure) networks. S5850-24B4C 24-port 10Gb Ethernet layer 3 switch features 24x 25G downlinks and 4x 100G QSFP28 uplinks. This managed enterprise switch can deliver 4 Tbps switching capacity and 2976 Mpps forwarding rate. It is packed with redundant hot-swappable power supplies, hot-swappable smart fans and hardware-level dual-flash chip for superior processing performance and network reliability. FS agile S5850-24B4C managed switch is ideal for enterprise network private cloud TOR, date center TOR, operator PE to meet the needs of high-speed, safe, intelligent networks. S5850-16T16BS2Q is a high-performance Layer 3 Ethernet routing switch with 16x 10/100/1000BASE-T RJ45, 8x 10Gb SFP+, 8x 25Gb SFP28 ports and 2x 40Gb QSFP+ in a compact 1U form factor. It delivers 752 Gbps switching capacity and 540 Mpps forwarding rate. It is packed with redundant hot-swappable power supplies and variable-speed axial fans for superior processing performance. Product highlights Support MLAG (Multi-Chassis Link Aggregation) for Uninterrupted Services 1+1Hot-swappable Power Supplies Network Monitoring through Sampled Flow (sFlow) Support CLI/WEB/SNMP/OVSDB/RPC-API for Flexible Operation Support SSH, ACL, AAA, 802.1X, RADIUS, TACACS+, etc. for security Support IPv4/IPv6 Dual-stack for Future Network Expansion Support RIPng/OSPFv3/BGP4+/DHCPv6/IS-IS for Efficient Calculation Support QoS, BGP, ACL, VRRP, DHCP, etc. Support OSPF/OSPFv3, BGP4/BGP4+, ISIS, BFD Support VXLAN, NVGRE for Knowledge Sharing and Community-based Problem Solving Support G.8031, G.8032, Ethernet OAM, MPLS, VPLS, VPWS, L3VPN (Except for S5850-24S2Q/S5850-24XMGG/S5850-48XMG8C) Support Data Center Features (PFC, ECNetc.) to Build a Lossless and Low-latency Network (Only for S5850-48T4Q/S5850-48T4Q-PE/S5850-48S6Q/S5850-48S6Q-R/S5850-24T16B/S5850-24B4C) Support IEEE 1588v2 Precision Time Protocol TC Mode (Only for S5850-24S2C-PE/S5850-24S2C/S5850-24S2C-DC) ; Support IEEE 1588v2 Precision Time Protocol TC and BC Mode (Only for S5850-48B8C-PE/S5850-48S6Q-R-PE/S5850-48S8C-PE/S5850-48S6Q-R/S5850-48S8C-DC/S5850-24B4C/S5850-48B8C/S5850-48S8CC / S5850-48XMG8C) Platform details Switch configurations and port density Power supplies and fans Switch performance Platform benefits Software requirements Licensing Metro Advanced License includes the functions of MPLS, LDP, MPLS-L2VPN, MPLS-L3VPN, VxLAN-BGP-EVPN, and IPFIX. The license is specific to the switch for which it is issued and is not valid on any other switch, so the license is not portable across devices. Metro Advanced License is offered as a perpetual license, it is applicable to multiple devices, including S5800- 48T4S, S5800-48F4SR, S5850-24T16S, S5850-24T16B, S5850-24XMG, S5850-32S2Q, S5850-48S6Q, S5850- 48S6Q-R, S5850-48S2Q4C, S5850-48T4Q, S8050-20Q4C S5800-48T4S-DC, S5800-48F4SR-DC, S5850-24B4C, S5850-16T16BS2Q. For more information, visit: https://www.fs.com/products/100590.html Product specifications Quality certification At FS, our Quality Commitment lies in all aspects of processes, resources, and methods that enable us to build superior networks for our customers. Through a quality policy focusing on the continuous improvement of products and services, we can achieve the highest levels of satisfaction for our customers. To that end, every FS employee is accountable for contributing to the value of the products and services we deliver. Figure 14 shows some of the authoritative certifications obtained by FS S5850 Series Switches. Optics supported For details about the optical modules available, visit： S5850-48T4Q: Transceivers DACs and AOCs Supported on S5850-48T4Q Switch S5850-24S2Q: Transceivers DACs and AOCs Supported on S5850-24S2Q Switch Warranty, service and support FS S5850 Series Switches enjoy 5 years limited warranty against defects in materials or workmanship. For more information on FS Returns & Refunds policy, visit https://www.fs.com/policies/warranty.html or https://www.fs.com/policies/day_return_policy.html. FS provides a personal account manager, free professional technical support, and 24/7 live customer service to each customer. • Professional Lab: Test each product with the latest and advanced networking equipment. • Free Technical Support: Provide free & tailored solutions and services for your businesses. • 80% Same-day Shipping: Immediate shipping for in-stock items. • Fast Response: Direct and immediate assistance from an expert. For more information, visit https://www.fs.com/service/fs_support.html Ordering information Additional information For more information about the S5850 Series Switches, contact your account manager or visit https://www.fs.com/search_result?keyword=S5850 Document history

S5850 Series Switch SNMP Template V1.0(Support Zabbix V4.4 and above)

06 set. 2025 - For details, please click the attachment icon below to view or download for a good reading experience or resources.

Common Troubleshooting Guide for FS Switches

06 set. 2025 - For details, please click the attachment icon below to view or download for a good reading experience or resources.

20 ago. 2025 - For details, please click the attachment icon below to view or download for a good reading experience or resources.