Introduction%20to%20RADIUS%20Protocol - PowerPoint PPT Presentation

About This Presentation
Title:

Introduction%20to%20RADIUS%20Protocol

Description:

... protocol that carries authentication, authorization and ... Authentication and Authorization : Access Request Frame. Access-Reject. or Access-Challenge ... – PowerPoint PPT presentation

Number of Views:289
Avg rating:3.0/5.0
Slides: 13
Provided by: userg9
Learn more at: http://www.cs.sjsu.edu
Category:

less

Transcript and Presenter's Notes

Title: Introduction%20to%20RADIUS%20Protocol


1
Introduction to RADIUS Protocol
  • Presented By
  • Hiral Shah
  • Varsha Mahalingappa

2
RADIUS
  • Introduction
  • RADIUS is an application level protocol that
    carries authentication, authorization and
    configuration information between a Network
    Access Server (NAS) and a Shared Authentication
    Server.
  • Transport protocol - UDP
  • UDP Port 1812 Authentication
  • UDP Port 1813 - Accounting
  • Key Features of RADIUS
  • Client Server model
  • Network Security
  • Flexible Authentication mechanism
  • Extensible protocol

3
Access-RejectAccess-ChallengeAccounting-Reques
tAccounting-Response
  • Terminology
  • Service
  • Session
  • Silently discard
  • Access-Request
  • Access-Accept

4
RADIUS Overview






  • Authentication


  • Request

  • Username
  • Password




  • Authentication

5
Authentication and Authorization

  • Access Request Frame

  • Access-Reject
  • or
    Access-Challenge
  • or
    Access-Accept

6
Accounting
  • Key Access Request, Access-Reject, an
    Access-Challenge or an Access-Accept
  • Built-in accounting schemes
  • Unix accounting
  • Accounting data are stored in files and can be
    viewed using radwho and radlast commands
  • Detailed accounting
  • The detailed accounting information is stored in
    plain text format. The resulting files can easily
    be parsed using standard text processing tool.
  • SQL accounting
  • information stores it in an SQL database,
    processed using standard SQL queries.
  • Radius is extensible

7
Packet Frame
  • Details
  • Code
  • Identifier
  • Length
  • Authenticator - Value used to authenticate the
    reply from the RADIUS server
  • Attributes - The data

8
Client Server Sequence
  • NAS sends encrypted user info with access
    request
  • Access accept with IP-address, network mask,
    allowed session time, etc
  • Accounting Phase starts with Accounting Request
  • When user logs out accounting phase ends with NAS
    sending an 'Accounting-request (Stop)' with some
    additional information.
  • The RADIUS Server responds with an
    'Accounting-response' when the accounting
    information is stored.

9
Limitations
  • Response Authenticator Based Shared Secret Attack
  • Attacker listens to requests and server
    responses, and pre-compute MD5 state, which is
    the prefix of the response authenticator
  • MD5(CodeIDLengthReqAuthAttrib)
  • Perform an exhaustive search on shared secret,
    adding it to the above MD5 state each time.
  • User-Password Attribute Based Shared Secret
    Attack
  • Perform an exhaustive search on shared secret.
  • The attacker attempts a connection to the NAS,
    and intercepts the access-request.
  • User-Password Based Password Attack
  • Performs an exhaustive / dictionary attack on
    password, XORing it with above MD5 and sending it
    each time in appropriate attribute.
  • Possible due to no authentication on request
    packet.

10
Limitations Continued
  • Shared Secret Hygiene
  • Viewed as single client
  • Small key size enabling easy attack
  • Request Authenticator Based Attacks
  • Passive User-Password Compromise through Repeated
    Request Authenticators
  • Active User-Password Compromise through Repeated
    Request Authenticators
  • Attacker builds a dictionary as before.
  • When he predicts he can cause NAS to use a
    certain ReqAuth, he tries to connect it and
    intercepts access-request.
  • Replay of Server Responses through Repeated
    Request Authenticators
  • The attacker builds a dictionary with ReqAuth, ID
    and entire server response.
  • Most server responses will be access-accept.

11
Conclusion
  • RADIUS is a remote authentication protocol.
  • RADIUS is a de-facto standard for remote
    authentication.
  • RADIUS is an extensible protocol, and can support
    many authentication methods (e.g. EAP).
  • RADIUS has several weaknesses.
  • Usage of stream cipher
  • Transaction of Access-Request not authenticated
    at all
  • The RADIUS specification should require each
    client use a different Shared Secret. It should
    also require the shared secret to be a random bit
    string at least 16 octets long that is generated
    by a PRNG.
  • DIAMETER brought in to replace RADIUS and fix
    some of the flaws
  • Uses TCP
  • Better transmission level security using IPSEC

12
References
  • Radius can be downloaded from http//ftp.gnu.org/
    gnu/radius/
  • http//www.panasia.org.sg/conf/pan/c001p028.htm
  •  
  • http//www.ietf.org/rfc/rfc2865.txt
  • http//www.ietf.org/rfc/rfc2866.txt
  •  
  • http//www.gnu.org/software/radius/radius.html
  •  
  • http//www2.rad.com/networks/2000/radius/home.htm
Write a Comment
User Comments (0)
About PowerShow.com