1 / 12

Introduction to RADIUS Protocol

Introduction to RADIUS Protocol. Presented By: Hiral Shah Varsha Mahalingappa. RADIUS. Introduction : RADIUS is an application level protocol that carries authentication, authorization and configuration information between a Network Access Server (NAS) and a Shared Authentication Server.

Rita
Télécharger la présentation

Introduction to RADIUS Protocol

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to RADIUS Protocol Presented By: Hiral Shah Varsha Mahalingappa

  2. RADIUS Introduction : RADIUS is an application level protocol that carries authentication, authorization and configuration information between a Network Access Server (NAS) and a Shared Authentication Server. Transport protocol - UDP UDP Port 1812 – Authentication UDP Port 1813 - Accounting Key Featuresof RADIUS : Client Server model Network Security Flexible Authentication mechanism Extensible protocol

  3. Access-RejectAccess-ChallengeAccounting-RequestAccounting-ResponseAccess-RejectAccess-ChallengeAccounting-RequestAccounting-Response Terminology : • Service • Session • Silently discard • Access-Request • Access-Accept

  4. User Radius Client Radius Server RADIUS Overview : Authentication Request Username & Password Authentication Acknowledgement

  5. Radius Client Radius Server Authentication and Authorization : Access Request Frame Access-Reject or Access-Challenge or Access-Accept

  6. Accounting • Key : Access Request, Access-Reject, an Access-Challenge or an Access-Accept • Built-in accounting schemes: • Unix accounting • Accounting data are stored in files and can be viewed using radwho and radlast commands • Detailed accounting • The detailed accounting information is stored in plain text format. The resulting files can easily be parsed using standard text processing tool. • SQL accounting • information stores it in an SQL database, processed using standard SQL queries. • Radius is extensible

  7. Packet Frame: • Details • Code • Identifier • Length • Authenticator - Value used to authenticate the reply from the RADIUS server • Attributes - The data

  8. Client Server Sequence • NAS sends encrypted user info with access request • Access accept with IP-address, network mask, allowed session time, etc • Accounting Phase starts with Accounting Request • When user logs out accounting phase ends with NAS sending an 'Accounting-request (Stop)' with some additional information. • The RADIUS Server responds with an 'Accounting-response' when the accounting information is stored.

  9. Limitations • Response Authenticator Based Shared Secret Attack • Attacker listens to requests and server responses, and pre-compute MD5 state, which is the prefix of the response authenticator: MD5(Code+ID+Length+ReqAuth+Attrib) • Perform an exhaustive search on shared secret, adding it to the above MD5 state each time. • User-Password Attribute Based Shared Secret Attack • Perform an exhaustive search on shared secret. • The attacker attempts a connection to the NAS, and intercepts the access-request. • User-Password Based Password Attack • Performs an exhaustive / dictionary attack on password, XORing it with above MD5 and sending it each time in appropriate attribute. • Possible due to no authentication on request packet.

  10. Limitations Continued… • Shared Secret Hygiene • Viewed as single client • Small key size enabling easy attack • Request Authenticator Based Attacks • Passive User-Password Compromise through Repeated Request Authenticators • Active User-Password Compromise through Repeated Request Authenticators • Attacker builds a dictionary as before. • When he predicts he can cause NAS to use a certain ReqAuth, he tries to connect it and intercepts access-request. • Replay of Server Responses through Repeated Request Authenticators • The attacker builds a dictionary with ReqAuth, ID and entire server response. • Most server responses will be access-accept.

  11. Conclusion • RADIUS is a remote authentication protocol. • RADIUS is a de-facto standard for remote authentication. • RADIUS is an extensible protocol, and can support many authentication methods (e.g. EAP). • RADIUS has several weaknesses. • Usage of stream cipher • Transaction of Access-Request not authenticated at all • The RADIUS specification should require each client use a different Shared Secret. It should also require the shared secret to be a random bit string at least 16 octets long that is generated by a PRNG. • DIAMETER brought in to replace RADIUS and fix some of the flaws • Uses TCP • Better transmission level security using IPSEC

  12. References • Radius can be downloaded from http://ftp.gnu.org/gnu/radius/ • http://www.panasia.org.sg/conf/pan/c001p028.htm • http://www.ietf.org/rfc/rfc2865.txt • http://www.ietf.org/rfc/rfc2866.txt • http://www.gnu.org/software/radius/radius.html • http://www2.rad.com/networks/2000/radius/home.htm

More Related