Scribd Logo
Carica

Benvenuto in Scribd!

  • RADIUS

    Caricato da

    Ali Ibraheem
    45 visualizzazioni12 pagine
    RADIUS

    Copyright

    © © All Rights Reserved

    Formati disponibili

    PPT, PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    RADIUS

    Copyright:

    © All Rights Reserved
    Scarica in formato PPT, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    45 visualizzazioni12 pagine

    RADIUS

    Caricato da

    Ali Ibraheem
    RADIUS

    Copyright:

    © All Rights Reserved
    Scarica in formato PPT, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 12

    Introduction to RADIUS

    Protocol
    Presented By:
    Hiral Shah
    Varsha Mahalingappa

    RADIUS
    Introduction :

    RADIUS is an application level protocol that carries authentication, authorization and configuration
    information between a Network Access Server (NAS) and a Shared Authentication Server.

    Transport protocol - UDP

    UDP Port 1812 Authentication
    UDP Port 1813 - Accounting

    Key Features of RADIUS :

    Client Server model
    Network Security
    Flexible Authentication mechanism
    Extensible protocol


    Terminology :

    Service

    Session

    Silently discard

    Access-Request

    Access-Accept



    RADIUS Overview :









    Authentication
    Request



    Username &
    Password


    Authentication
    Acknowledgement
    User Radius
    Client
    Radius
    Server
    Authentication and Authorization :



    Access Request Frame


    Access-Reject
    or Access-Challenge
    or Access-Accept


    Radius
    Client
    Radius
    Server
    Accounting
    Key : Access Request, Access-Reject, an Access-Challenge or an
    Access-Accept

    Built-in accounting schemes:
    Unix accounting
    Accounting data are stored in files and can be viewed using radwho and
    radlast commands
    Detailed accounting
    The detailed accounting information is stored in plain text format. The
    resulting files can easily be parsed using standard text processing tool.
    SQL accounting
    information stores it in an SQL database, processed using standard SQL
    queries.
    Radius is extensible







    Packet Frame:


    Details
    Code
    Identifier
    Length
    Authenticator - Value used to authenticate the reply from the RADIUS server
    Attributes - The data

    Client Server Sequence
    NAS sends encrypted user info with
    access request
    Access accept with IP-address,
    network mask, allowed session time,
    etc
    Accounting Phase starts with
    Accounting Request
    When user logs out accounting phase
    ends with NAS sending an
    'Accounting-request (Stop)' with some
    additional information.

    The RADIUS Server responds with an
    'Accounting-response' when the
    accounting information is stored.
    Limitations

    Response Authenticator Based Shared Secret Attack
    Attacker listens to requests and server responses, and pre-compute MD5 state,
    which is the prefix of the response authenticator:
    MD5(Code+ID+Length+ReqAuth+Attrib)
    Perform an exhaustive search on shared secret, adding it to the above MD5
    state each time.
    User-Password Attribute Based Shared Secret Attack
    Perform an exhaustive search on shared secret.
    The attacker attempts a connection to the NAS, and intercepts the access-
    request.
    User-Password Based Password Attack
    Performs an exhaustive / dictionary attack on password, XORing it with above
    MD5 and sending it each time in appropriate attribute.
    Possible due to no authentication on request packet.

    Limitations Continued
    Shared Secret Hygiene
    Viewed as single client
    Small key size enabling easy attack

    Request Authenticator Based Attacks
    Passive User-Password Compromise through Repeated Request
    Authenticators
    Active User-Password Compromise through Repeated Request
    Authenticators
    Attacker builds a dictionary as before.
    When he predicts he can cause NAS to use a certain ReqAuth, he tries to
    connect it and intercepts access-request.

    Replay of Server Responses through Repeated Request Authenticators
    The attacker builds a dictionary with ReqAuth, ID and entire server response.
    Most server responses will be access-accept.



    Conclusion
    RADIUS is a remote authentication protocol.
    RADIUS is a de-facto standard for remote authentication.
    RADIUS is an extensible protocol, and can support many authentication
    methods (e.g. EAP).
    RADIUS has several weaknesses.
    Usage of stream cipher
    Transaction of Access-Request not authenticated at all
    The RADIUS specification should require each client use a different Shared Secret.
    It should also require the shared secret to be a random bit string at least 16 octets
    long that is generated by a PRNG.

    DIAMETER brought in to replace RADIUS and fix some of the flaws

    Uses TCP
    Better transmission level security using IPSEC


    References


    Radius can be downloaded from http://ftp.gnu.org/gnu/radius/


    http://www.panasia.org.sg/conf/pan/c001p028.htm

    http://www.ietf.org/rfc/rfc2865.txt

    http://www.ietf.org/rfc/rfc2866.txt

    http://www.gnu.org/software/radius/radius.html

    http://www2.rad.com/networks/2000/radius/home.htm

    Potrebbero piacerti anche