Getting Started
- Overview & Company
  - About Identity and Access Management
  - About Evo Security
- Initial Setup & Requirements
  - Evo Prerequisites & Supported Operating Systems
  - Evo Authenticator Mobile App 5.1 (iOS and Android)
  - Evo Supported Authentication Methods
Directory Environments
- Environments
  - What type of Directory do I need?
  - Set up Evo on Active Directory (LDAP)
  - Set up Evo on Azure AD
  - What is Evo Cloud? Evo's Directory as a Service (DaaS) - How to get Started
  - Sync with Google Workspace
  - Unsupported - Microsoft Azure Virtual Desktop
Deployment & Configuration
- Installation & Setup
  - WS-Federation integration for Office 365 login
  - Elevated Access: Extended User Access Control session
  - Integrating Evo with Windows Desktops
  - Evo Secure Login for Windows / Troubleshooting Secure Login
  - LDAP Agent Settings Editor
  - Azure AD - Federating Microsoft 365 domain
  - Azure AD/On-Prem AD Hybrid Environment - Federating Microsoft 365 Domain
  - Sync with On-Prem Active Directory (LDAP)
  - Sync with Azure AD (AAD) using Microsoft Entra admin center
  - (New UI) Evo Cloud: Directory-As-A-Service Setup and Installation
- Advanced Configurations
  - Windows Credential Provider Best Practices
  - Can you install the Credential Provider on Azure AD joined machines?
  - How to protect Remote Desktop using Evo Security (RDP Support)
  - How to Change Windows Credential Provider Settings in Silent Mode after Installation
- Scripts & Automation
  - Deploy & Uninstall Evo Agent via PowerShell
- Branding & Customization
  - How do I update the Logos to match my company brand? (Web Page and Agent)
Product Information
Evo Portal
- Navigation & Managment
  - Welcome to the New Evo Portal!
  - Tenants Page
  - Onboarding Section
  - Policies Page
  - Rules Section (Global)
  - Integrations Page
  - Settings Section
  - Dashboard Page
  - Directories Page
  - Vault Section
  - Users Page
  - Groups Page
  - Help Desk Verification
  - Help Desk Verification with Microsoft Authenticator and Evo Secure Login
  - Elevated Access: End User Elevation
  - Access Tokens Page
  - Keys (Hardware Keys) Page
  - Endpoints Section
  - Applications Page
  - Elevation Section (Tenant)
  - Main Dashboard
  - Role-Based Permissions / List of Roles
  - Setup Elevated Access
  - Elevated Access: End User Elevation
- User & Directory Managment
  - How do I add or delete customers?
  - How do I add, edit or disable a Domain Account? ( Old UI )
  - How do I add, edit, or delete a directory?
  - How do I disable, enable, or delete user devices (Endpoints)?
  - User Groups
  - Custom Aliases ( Old UI )
  - Local Accounts ( Old UI )
  - Web Accounts
  - How do I manage my user licenses? (Billing and Administration)
- Security & SSO Settings
  - How do I add a rule for single sign-on (SSO) expiration?
  - Password Rotation with Evo
  - Identity Provider (IdP) Login
Integrations
- SSO & Identity Providers
  - Connect Web Apps via SAML with Evo: Version 3
  - Integrating Evo with Box.com (SAML/SSO)
  - Integrating Evo with Keeper
  - What SAML integrations are available?
  - Integrating Evo with Dropbox
  - Integrating Evo with Salesforce
- PSA / Documentation Tools
  - Evo Password Integration with ITGlue
  - Integrating Evo with IT Glue
  - Evo Password Integration with Hudu
  - Evo Integration with Autotask
  - Evo Integration with ConnectWise
  - Integrating Evo with Liongard
- Monitoring & Networking
  - Integrating Evo with Auvik
  - Integrating Evo with Domotz
User Onboarding & Guidance
- MFA & Access Behavior
  - How does the "MFA Status" toggle work?
  - Set Evo Secure Login as default option at login screen
  - MFA Grace Period
  - Temporary Authentication Lockout
- Account Management
  - How do I reset my Evo password?
  - How do I see authentication activity?
  - How do I convert user types?
  - How do I manage my users / users devices?
- End User Documentation
  - How do I create my user account?
  - How do i log in?
  - How do I register my device?
  - Evo Authenticator watch app
  - Using Evo Secure Login (End User)
  - Using Evo Security (End User) - Azure AD
  - Using Evo Security (End User) - Active Directory
  - Installing the macOS Credential Provider
Troubleshooting & FAQs
- Directories Troubleshooting
  - Troubleshooting Evo Authenticator Mobile App Issues
  - Error Fetching AD Groups: How to fix AAD Client Secret expired
  - Troubleshoot issues with the Evo LDAP Agent
  - On-prem AD Virtual Machine hosted on Azure (timeout settings)
- Secure Login Troubleshooting
  - Last User Caching: Evo Login Only & Fast User Switching
  - Error: Login Denied due to Temporary Lockout
  - Error Message: the account is disabled or not found
  - How to Fix Secure Login Always Requests Offline Code
  - How to use Offline code to login to Windows machine without Internet
- Elevated Access Troubleshooting
  - Error: The user has not been granted the requested logon type at this computer
  - How to Troubleshoot Elevated Access / Domain Accounts
- Mobile App Troubleshooting
  - Troubleshooting Evo Authenticator Mobile App Issues
- End User Troubleshooting
  - User cannot login after changing email
- RADIUS Troubleshooting
  - RADIUS - Secure RADIUS Servers with TLS/radsecproxy (CVE-2024-3596)
  - Requesting a RADIUS Server in Evo / RADIUS Troubleshooting
Support & Resources
- Support & Resources
  - Where to go for help / feature requests
  - Adding Evo Users to the Evo Support Portal
  - Setting up Mobile Email to Provide Logs to Evo
  - How do I add, edit, or delete email campaigns?
  - How do I update Evo software?
More

RADIUS - Secure RADIUS Servers with TLS/radsecproxy (CVE-2024-3596)

Last updated on June 12, 2025

Problem Being Solved

In July 2024, a CVE was issued explaining that RADIUS configured with UDP and PAP is vulnerable to MD5 related attacks (see RADIUS Protocol Vulnerability Exposes Networks to MitM Attacks).

When network devices connect to a RADIUS server, a connection is made from a partner/customer network using UDP to port 1812 on a server running in the Evo network. This UDP connection is vulnerable to the reported CVE.

Solution Overview

For customers to eliminate the vulnerability, connections established over the public Internet must include TLS. This is achieved by:

The Evo RADIUS server providing a TLS entry point

The network device in the partner (or customer) network connecting to RADIUS using TLS

The diagram below illustrates network boundaries and the TLS connection being established over port 2083 to the Evo RADIUS server.

Some network devices may not support making the TLS connection. The use of a RadSec Proxy provides the ability to continue uses a UDP connection within a trusted network, but using a TLS connection across the public Internet.

To obtain RadSec Proxy, see radsecproxy .

RadSec Proxy Configuration

If needed, a RadSec Proxy may be deployed within your trusted network. Network devices which cannot establish a TLS connection directly are configured to send RADIUS requests to the RadSec Proxy (UDP port 1812). The RadSec Proxy can be configured using the snippet below to establish the TLS connection with an Evo RADIUS server which supports TLS.

ListenUDP *:1812
ListenUDP localhost

tls default {
     CACertificatePath /etc/ssl/certs/
     CertificateFile /etc/ssl/client_folder/<partner-certificate>.crt
     CertificateKeyFile /etc/ssl/client_folder/<partner-certificate>.key
     CacheExpiry 3600
}

server <evo-provided-radius-host>.evosecurity.com {
     Host <evo-provided-radius-host>.evosecurity.com
     Type tls
     CertificateNameCheck on
     MatchCertificateAttribute CN:/^<evo-provided-radius-host>\.evosecurity\.com$/
     StatusServer on
     Secret <radius-secret>
}

client 127.0.0.1 {
     type udp
     secret <trusted-network-secret>
}

realm * {
     server <evo-provided-radius-host>.evosecurity.com
     AccountingServer <evo-provided-radius-host>.evosecurity.com
}

In the snippet above, the following placeholders must be replaced as described below.

partner-certificate - a partner-generated certificate for connections into the proxy

trusted-network-secret - the shared secret that a network device uses to connect to the proxy

radius-secret - the shared secret used by RadSec Proxy when connecting to the Evo RADIUS server

evo-provided-radius-host - the host of the Evo RADIUS server

Testing TLS Connection When RadSec Proxy is Used

To test the TLS connection from RadSec Proxy to the Evo RADIUS server, use the radtest client within the trusted network with the command below:

radtest <username> "<password>" <radsecproxy-host>:1812 10 <trusted-network-secret>

username - the email address to authenticate with Evo

password - the password to authenticate with Evo

radsecproxy-host - the IP or hostname of the RadSec Proxy

trusted-network-secret - the secret configured for connections to the RadSec Proxy

You can set this up to help secure your Evo RADIUS instance from within your network. Please let our support team know if you have any questions about this configuration as it relates to Evo Security.

Did this answer your question?

😞

😐

🤩

User cannot login after changing email Requesting a RADIUS Server in Evo / RADIUS Troubleshooting