Affected customers should choose one of the following two solutions:
- Apply a patch to Steel-Belted Radius by following the instructions in the attached document (available at http://alerts-int.juniper.net/AlertUpload/EAPFAST_PatchInstructions_Final.pdf). You may also need to upgrade Odyssey Access Client as discussed below.
- Disable EAP-FAST by setting the "Enable" variable equal to zero ("Enable=0") in the fastauth.aut configuration file. Pulse Secure suggests using EAP-GenericTokenCard in an EAP-PEAP tunnel as as replacement for EAP-FAST.
Steel-Belted Radius 5.3.x is no longer supported. If you are running that version and you have enabled EAP-FAST, you are strongly advised to either disable EAP-FAST or purchase an upgrade and install the appropriate patch.
No patch is available for Steel-Belted Radius 5.5.x. If you are running that version and you have enabled EAP-FAST, you are strongly advised to disable it.
In some cases, applying the patch to SBR prevents Odyssey Access Client users from logging in, as documented in PR 453339. This happens when a user logs in using EAP-FAST in token mode with any of the OAC versions listed on the left side of the table below. Windows Mobile Edition of OAC does not have this problem. If you are subject to this additional problem and you are running an OAC version in the list below, then you should upgrade OAC to the fixed version show in the same row:
4.56* (see note below) or 4.57: upgrade to 4.58
4.6x (included in UAC 2.0r1-r4): upgrade to 4.80.12833.0 (included in UAC 2.2r5)
4.7x (included in UAC 2.1r1-r4): upgrade to 4.80.12833.0 (included in UAC 2.2r5)
4.80.b (with b < 12833) (included in UAC 2.1r1-r4): upgrade to 4.80.12833.0 (included in UAC 2.2r5)
5.00.b (with b < 13531) (included in UAC C3.0r1-r2): upgrade to 5.00.13531.0 (included in UAC 3.0r3)
The fixed versions of OAC are available at https://www.pulsesecure.net/support/software
* NOTE: Only OAC 4.56 has been certified under the Common Criteria. The recommended upgrade, 4.58, has not been certified. Where this is important, disabling EAP-FAST, as discussed above, may be preferable.