radius
TRANSCRIPT
Introduction to RADIUS Protocol
Presented By:Hiral Shah
Varsha Mahalingappa
RADIUSIntroduction :
RADIUS is an application level protocol that carries authentication, authorization and configuration information between a Network Access Server (NAS) and a Shared Authentication Server.
Transport protocol - UDP
UDP Port 1812 – Authentication UDP Port 1813 - Accounting
Key Features of RADIUS :
Client Server model Network Security Flexible Authentication mechanism Extensible protocol
Access-Reject
Access-Challenge
Accounting-Request
Accounting-Response
Terminology :
Service
Session
Silently discard
Access-Request
Access-Accept
RADIUS Overview :
Authentication Request
Username & Password
Authentication Acknowledgement
User RadiusClient
RadiusServer
Authentication and Authorization :
Access Request Frame
Access-Reject or Access-Challenge or Access-Accept
RadiusClient
RadiusServer
Accounting Key : Access Request, Access-Reject, an Access-Challenge or an
Access-Accept
Built-in accounting schemes:– Unix accounting
• Accounting data are stored in files and can be viewed using radwho and radlast commands
– Detailed accounting• The detailed accounting information is stored in plain text format. The
resulting files can easily be parsed using standard text processing tool.– SQL accounting
• information stores it in an SQL database, processed using standard SQL queries.
Radius is extensible
Packet Frame:
Details– Code– Identifier – Length – Authenticator - Value used to authenticate the reply from the RADIUS server– Attributes - The data
Client Server Sequence• NAS sends encrypted user info with
access request • Access accept with IP-address,
network mask, allowed session time, etc
• Accounting Phase starts with Accounting Request
• When user logs out accounting phase ends with NAS sending an 'Accounting-request (Stop)' with some additional information.
• The RADIUS Server responds with an 'Accounting-response' when the accounting information is stored.
Limitations
Response Authenticator Based Shared Secret Attack– Attacker listens to requests and server responses, and pre-compute MD5 state,
which is the prefix of the response authenticator:MD5(Code+ID+Length+ReqAuth+Attrib)
– Perform an exhaustive search on shared secret, adding it to the above MD5 state each time.
User-Password Attribute Based Shared Secret Attack– Perform an exhaustive search on shared secret.– The attacker attempts a connection to the NAS, and intercepts the access-
request. User-Password Based Password Attack
– Performs an exhaustive / dictionary attack on password, XORing it with above MD5 and sending it each time in appropriate attribute.
– Possible due to no authentication on request packet.
Limitations Continued… Shared Secret Hygiene
– Viewed as single client– Small key size enabling easy attack
Request Authenticator Based Attacks– Passive User-Password Compromise through Repeated Request
Authenticators– Active User-Password Compromise through Repeated Request Authenticators
• Attacker builds a dictionary as before.• When he predicts he can cause NAS to use a certain ReqAuth, he tries to connect
it and intercepts access-request.
Replay of Server Responses through Repeated Request Authenticators– The attacker builds a dictionary with ReqAuth, ID and entire server response.– Most server responses will be access-accept.
Conclusion RADIUS is a remote authentication protocol. RADIUS is a de-facto standard for remote authentication. RADIUS is an extensible protocol, and can support many authentication
methods (e.g. EAP). RADIUS has several weaknesses.
– Usage of stream cipher– Transaction of Access-Request not authenticated at all– The RADIUS specification should require each client use a different Shared Secret.
It should also require the shared secret to be a random bit string at least 16 octets long that is generated by a PRNG.
DIAMETER brought in to replace RADIUS and fix some of the flaws
• Uses TCP• Better transmission level security using IPSEC
References
Radius can be downloaded from http://ftp.gnu.org/gnu/radius/
http://www.panasia.org.sg/conf/pan/c001p028.htm http://www.ietf.org/rfc/rfc2865.txt
http://www.ietf.org/rfc/rfc2866.txt http://www.gnu.org/software/radius/radius.html http://www2.rad.com/networks/2000/radius/home.htm