Introduction%20to%20RADIUS%20Protocol - PowerPoint PPT Presentation

About This Presentation

Title:

Introduction%20to%20RADIUS%20Protocol

Description:

Number of Views:285

Avg rating:3.0/5.0

Slides: 13

Provided by: userg9

Learn more at: http://www.cs.sjsu.edu

Category:

more less

Transcript and Presenter's Notes

Title: Introduction%20to%20RADIUS%20Protocol

1
Introduction to RADIUS Protocol

2
RADIUS

Introduction
RADIUS is an application level protocol that
carries authentication, authorization and
configuration information between a Network
Access Server (NAS) and a Shared Authentication
Server.
Transport protocol - UDP
UDP Port 1812 Authentication
UDP Port 1813 - Accounting
Key Features of RADIUS
Client Server model
Network Security
Flexible Authentication mechanism
Extensible protocol

3
Access-RejectAccess-ChallengeAccounting-Reques
tAccounting-Response

4
RADIUS Overview

5
Authentication and Authorization

6
Accounting

Key Access Request, Access-Reject, an
Access-Challenge or an Access-Accept
Built-in accounting schemes
Unix accounting
Accounting data are stored in files and can be
viewed using radwho and radlast commands
Detailed accounting
The detailed accounting information is stored in
plain text format. The resulting files can easily
be parsed using standard text processing tool.
SQL accounting
information stores it in an SQL database,
processed using standard SQL queries.
Radius is extensible

7
Packet Frame

8
Client Server Sequence

NAS sends encrypted user info with access
request
Access accept with IP-address, network mask,
allowed session time, etc
Accounting Phase starts with Accounting Request
When user logs out accounting phase ends with NAS
sending an 'Accounting-request (Stop)' with some
additional information.
The RADIUS Server responds with an
'Accounting-response' when the accounting
information is stored.

9
Limitations

Response Authenticator Based Shared Secret Attack
Attacker listens to requests and server
responses, and pre-compute MD5 state, which is
the prefix of the response authenticator
MD5(CodeIDLengthReqAuthAttrib)
Perform an exhaustive search on shared secret,
adding it to the above MD5 state each time.
User-Password Attribute Based Shared Secret
Attack
Perform an exhaustive search on shared secret.
The attacker attempts a connection to the NAS,
and intercepts the access-request.
User-Password Based Password Attack
Performs an exhaustive / dictionary attack on
password, XORing it with above MD5 and sending it
each time in appropriate attribute.
Possible due to no authentication on request
packet.

10
Limitations Continued

Shared Secret Hygiene
Viewed as single client
Small key size enabling easy attack
Request Authenticator Based Attacks
Passive User-Password Compromise through Repeated
Request Authenticators
Active User-Password Compromise through Repeated
Request Authenticators
Attacker builds a dictionary as before.
When he predicts he can cause NAS to use a
certain ReqAuth, he tries to connect it and
intercepts access-request.
Replay of Server Responses through Repeated
Request Authenticators
The attacker builds a dictionary with ReqAuth, ID
and entire server response.
Most server responses will be access-accept.

11
Conclusion

RADIUS is a remote authentication protocol.
RADIUS is a de-facto standard for remote
authentication.
RADIUS is an extensible protocol, and can support
many authentication methods (e.g. EAP).
RADIUS has several weaknesses.
Usage of stream cipher
Transaction of Access-Request not authenticated
at all
The RADIUS specification should require each
client use a different Shared Secret. It should
also require the shared secret to be a random bit
string at least 16 octets long that is generated
by a PRNG.
DIAMETER brought in to replace RADIUS and fix
some of the flaws
Uses TCP
Better transmission level security using IPSEC