DOC PREVIEW
SJSU CS 265 - Introduction to RADIUS Protocol

This preview shows page 1-2-3-4 out of 12 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 12 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 12 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 12 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 12 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 12 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

Introduction to RADIUS ProtocolRADIUSAccess-Reject Access-Challenge Accounting-Request Accounting-ResponseRADIUS Overview :Authentication and Authorization :AccountingPacket Frame:Client Server SequenceLimitationsLimitations Continued…ConclusionReferencesIntroduction to RADIUS Protocol Presented By:Hiral ShahVarsha MahalingappaRADIUSIntroduction :RADIUS is an application level protocol that carries authentication, authorization and configuration information between a Network Access Server (NAS) and a Shared Authentication Server.Transport protocol - UDP UDP Port 1812 – Authentication UDP Port 1813 - AccountingKey Features of RADIUS : Client Server model Network Security Flexible Authentication mechanism Extensible protocolAccess-RejectAccess-ChallengeAccounting-RequestAccounting-ResponseTerminology :Service SessionSilently discardAccess-RequestAccess-AcceptRADIUS Overview : Authentication Request Username & Password Authentication AcknowledgementUser RadiusClientRadiusServerAuthentication and Authorization : Access Request Frame Access-Reject or Access-Challenge or Access-Accept RadiusClientRadiusServerAccountingKey : Access Request, Access-Reject, an Access-Challenge or an Access-Accept Built-in accounting schemes:–Unix accounting•Accounting data are stored in files and can be viewed using radwho and radlast commands–Detailed accounting•The detailed accounting information is stored in plain text format. The resulting files can easily be parsed using standard text processing tool.–SQL accounting•information stores it in an SQL database, processed using standard SQL queries.Radius is extensiblePacket Frame:Details–Code–Identifier –Leng t h –Authenticator - Value used to authenticate the reply from the RADIUS server–Attribut es - The dataClient Server Sequence•NAS sends encrypted user info with access request •Access accept with IP-address, network mask, allowed session time, etc • Accounting Phase starts with Accounting Request•When user logs out accounting phase ends with NAS sending an 'Accounting-request (Stop)' with some additional information.•The RADIUS Server responds with an 'Accounting-response' when the accounting information is stored.LimitationsResponse Authenticator Based Shared Secret Attack–Attacker listens to requests and server responses, and pre-compute MD5 state, which is the prefix of the response authenticator:MD5(Code+ID+Length+ReqAuth+Attrib)–Perform an exhaustive search on shared secret, adding it to the above MD5 state each time.User-Password Attribute Based Shared Secret Attack–Perform an exhaustive search on shared secret.–The attacker attempts a connection to the NAS, and intercepts the access-request.User-Password Based Password Attack–Performs an exhaustive / dictionary attack on password, XORing it with above MD5 and sending it each time in appropriate attribute.–Possible due to no authentication on request packet.Limitations Continued…Shared Secret Hygiene–Viewed as single client–Small key size enabling easy attackRequest Authenticator Based Attacks–Passive User-Password Compromise through Repeated Request Authenticators–Active User-Password Compromise through Repeated Request Authenticators•Attacker builds a dictionary as before.•When he predicts he can cause NAS to use a certain ReqAuth, he tries to connect it and intercepts access-request.Replay of Server Responses through Repeated Request Authenticators–The attacker builds a dictionary with ReqAuth, ID and entire server response.–Most server responses will be access-accept.ConclusionRADIUS is a remote authentication protocol.RADIUS is a de-facto standard for remote authentication.RADIUS is an extensible protocol, and can support many authentication methods (e.g. EAP).RADIUS has several weaknesses.–Usage of stream cipher–Transaction of Access-Request not authenticated at all–The RADIUS specification should require each client use a different Shared Secret. It should also require the shared secret to be a random bit string at least 16 octets long that is generated by a PRNG. DIAMETER brought in to replace RADIUS and fix some of the flaws•Uses TCP•Better transmission level security using IPSECReferencesRadius can be downloaded from http://ftp.gnu.org/gnu/radius/ http://www.panasia.org.sg/conf/pan/c001p028.htm http://www.ietf.org/rfc/rfc2865.txthttp://www.ietf.org/rfc/rfc2866.txt http://www.gnu.org/software/radius/radius.html


View Full Document

SJSU CS 265 - Introduction to RADIUS Protocol

Documents in this Course
Stem

Stem

9 pages

WinZip

WinZip

6 pages

Rsync

Rsync

7 pages

Hunter

Hunter

11 pages

SSH

SSH

16 pages

RSA

RSA

7 pages

Akenti

Akenti

17 pages

Blunders

Blunders

51 pages

Captcha

Captcha

6 pages

Radius

Radius

8 pages

Firewall

Firewall

10 pages

SAP

SAP

6 pages

SECURITY

SECURITY

19 pages

Rsync

Rsync

18 pages

MDSD

MDSD

9 pages

honeypots

honeypots

15 pages

VPN

VPN

6 pages

Wang

Wang

18 pages

TKIP

TKIP

6 pages

ESP

ESP

6 pages

Dai

Dai

5 pages

Load more
Download Introduction to RADIUS Protocol
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Introduction to RADIUS Protocol and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Introduction to RADIUS Protocol 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?