Security Basics mailing list archives

Re: Basic questions about RADIUS authentication

From: Bulgaria Online - Assen Totin <assen () online bg>
Date: Tue, 23 Nov 2004 13:08:12 +0200

Hi all,

V> Q.1- Is it not possible to sniff this communication and launch a dictionary
V> attack?

Provided the attacker pretends to be a valid RADIUS client, yes.
However, the RADIUS server normally responds only to clients listed in
its configuration. So the attack should also come from a "valid" (from
the point of view of the RADIUS server) IP address - or spoof the
source IP address _and_ take measures to receive the replies.

V> After the user is authenticated, RADIUS server creates and sends the user
V> and the NAS session keys.
V> Q.2- Is it not possible in this instance to launch a man-in-the-middle
V> attack?

I'm not sure about this. RADIUS can do not only authentication, but
solely accounting or authorisation. Thus "After the user is
authenticated" is not clear to me. From what I know, after the server
processes the query, it assigns a more or less unique Session-Id
(which is used further till the end of the session).

V> Q.3- How is the data (userids and passwords) secured in the RADIUS server?
V> Is it not possible to launch an attack at the RADIUD server database?

I guess depends on the RADIUS server and configuration. As far as I
know, RADIUS server can authenticate requests against several sources,
including probably /etc/passwd, SQL database (Cistron RADIUS and its
successors at least), or even through an external application
(e.g. XtRadius). So the protection of the passwords is not really a
RADIUS issue, but a system administration task (of course, one should
take care not to configure RADIUS to show plain text passwords in its
log files). External attack (meaning an attack coming from a host,
different from the RADIUS server) would probably be a brute-force
one trying to guess a valid pair of username and password. However, if
a potential attacker gains access (even non-privileged) to the host
where RADIUS server resides, his opportunities to interfere in the
authentication process become much broader.

WWell,

Assen Totin
Development Manager

===============================
        BULGARIA ONLINE
  Your quality... Your price!
===============================
tel. (+359 2) 973-3000 ext. 511
     http://home.online.bg

Current thread:

Basic questions about RADIUS authentication VI (Nov 22)
- Re: Basic questions about RADIUS authentication Bulgaria Online - Assen Totin (Nov 23)
- <Possible follow-ups>
- RE: Basic questions about RADIUS authentication Ed Whitesell (Nov 24)
- RE: Basic questions about RADIUS authentication Roger A. Grimes (Nov 25)