Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Basic questions about RADIUS authentication

From: "Roger A. Grimes" <roger () banneretcs com>
Date: Tue, 23 Nov 2004 18:29:31 -0500
It was my understanding that PEAP (Protected EAP) authentication (if
used) protects RADIUS against these types of attacks...by negotiating a
secure tunnel before actual user or machine credentials are passed? 

-----Original Message-----
From: Bulgaria Online - Assen Totin [mailto:assen () online bg] 
Sent: Tuesday, November 23, 2004 6:08 AM
To: security-basics () securityfocus com
Subject: Re: Basic questions about RADIUS authentication

Hi all,

V> Q.1- Is it not possible to sniff this communication and launch a 
V> dictionary attack?

Provided the attacker pretends to be a valid RADIUS client, yes.
However, the RADIUS server normally responds only to clients listed in
its configuration. So the attack should also come from a "valid" (from
the point of view of the RADIUS server) IP address - or spoof the source
IP address _and_ take measures to receive the replies.

V> After the user is authenticated, RADIUS server creates and sends the 
V> user and the NAS session keys.
V> Q.2- Is it not possible in this instance to launch a 
V> man-in-the-middle attack?

I'm not sure about this. RADIUS can do not only authentication, but
solely accounting or authorisation. Thus "After the user is
authenticated" is not clear to me. From what I know, after the server
processes the query, it assigns a more or less unique Session-Id (which
is used further till the end of the session).

V> Q.3- How is the data (userids and passwords) secured in the RADIUS
server?
V> Is it not possible to launch an attack at the RADIUD server database?

I guess depends on the RADIUS server and configuration. As far as I
know, RADIUS server can authenticate requests against several sources,
including probably /etc/passwd, SQL database (Cistron RADIUS and its
successors at least), or even through an external application (e.g.
XtRadius). So the protection of the passwords is not really a RADIUS
issue, but a system administration task (of course, one should take care
not to configure RADIUS to show plain text passwords in its log files).
External attack (meaning an attack coming from a host, different from
the RADIUS server) would probably be a brute-force one trying to guess a
valid pair of username and password. However, if a potential attacker
gains access (even non-privileged) to the host where RADIUS server
resides, his opportunities to interfere in the authentication process
become much broader.

WWell,

Assen Totin
Development Manager

===============================
        BULGARIA ONLINE
  Your quality... Your price!
===============================
tel. (+359 2) 973-3000 ext. 511
     http://home.online.bg
Previous By Date Next
Previous By Thread Next

Current thread: