Introduction to RADIUS ProtocolRADIUSAccess-Reject Access-Challenge Accounting-Request Accounting-ResponseRADIUS Overview :Authentication and Authorization :AccountingPacket Frame:Client Server SequenceLimitationsLimitations Continued…ConclusionReferencesIntroduction to RADIUS Protocol Presented By:Hiral ShahVarsha MahalingappaRADIUSIntroduction :RADIUS is an application level protocol that carries authentication, authorization and configuration information between a Network Access Server (NAS) and a Shared Authentication Server.Transport protocol - UDP UDP Port 1812 – Authentication UDP Port 1813 - AccountingKey Features of RADIUS : Client Server model Network Security Flexible Authentication mechanism Extensible protocolAccess-RejectAccess-ChallengeAccounting-RequestAccounting-ResponseTerminology :Service SessionSilently discardAccess-RequestAccess-AcceptRADIUS Overview : Authentication Request Username & Password Authentication AcknowledgementUser RadiusClientRadiusServerAuthentication and Authorization : Access Request Frame Access-Reject or Access-Challenge or Access-Accept RadiusClientRadiusServerAccountingKey : Access Request, Access-Reject, an Access-Challenge or an Access-Accept Built-in accounting schemes:–Unix accounting•Accounting data are stored in files and can be viewed using radwho and radlast commands–Detailed accounting•The detailed accounting information is stored in plain text format. The resulting files can easily be parsed using standard text processing tool.–SQL accounting•information stores it in an SQL database, processed using standard SQL queries.Radius is extensiblePacket Frame:Details–Code–Identifier –Leng t h –Authenticator - Value used to authenticate the reply from the RADIUS server–Attribut es - The dataClient Server Sequence•NAS sends encrypted user info with access request •Access accept with IP-address, network mask, allowed session time, etc • Accounting Phase starts with Accounting Request•When user logs out accounting phase ends with NAS sending an 'Accounting-request (Stop)' with some additional information.•The RADIUS Server responds with an 'Accounting-response' when the accounting information is stored.LimitationsResponse Authenticator Based Shared Secret Attack–Attacker listens to requests and server responses, and pre-compute MD5 state, which is the prefix of the response authenticator:MD5(Code+ID+Length+ReqAuth+Attrib)–Perform an exhaustive search on shared secret, adding it to the above MD5 state each time.User-Password Attribute Based Shared Secret Attack–Perform an exhaustive search on shared secret.–The attacker attempts a connection to the NAS, and intercepts the access-request.User-Password Based Password Attack–Performs an exhaustive / dictionary attack on password, XORing it with above MD5 and sending it each time in appropriate attribute.–Possible due to no authentication on request packet.Limitations Continued…Shared Secret Hygiene–Viewed as single client–Small key size enabling easy attackRequest Authenticator Based Attacks–Passive User-Password Compromise through Repeated Request Authenticators–Active User-Password Compromise through Repeated Request Authenticators•Attacker builds a dictionary as before.•When he predicts he can cause NAS to use a certain ReqAuth, he tries to connect it and intercepts access-request.Replay of Server Responses through Repeated Request Authenticators–The attacker builds a dictionary with ReqAuth, ID and entire server response.–Most server responses will be access-accept.ConclusionRADIUS is a remote authentication protocol.RADIUS is a de-facto standard for remote authentication.RADIUS is an extensible protocol, and can support many authentication methods (e.g. EAP).RADIUS has several weaknesses.–Usage of stream cipher–Transaction of Access-Request not authenticated at all–The RADIUS specification should require each client use a different Shared Secret. It should also require the shared secret to be a random bit string at least 16 octets long that is generated by a PRNG. DIAMETER brought in to replace RADIUS and fix some of the flaws•Uses TCP•Better transmission level security using IPSECReferencesRadius can be downloaded from http://ftp.gnu.org/gnu/radius/ http://www.panasia.org.sg/conf/pan/c001p028.htm http://www.ietf.org/rfc/rfc2865.txthttp://www.ietf.org/rfc/rfc2866.txt http://www.gnu.org/software/radius/radius.html
View Full Document