Introduction to RADIUS Protocol Presented By Hiral Shah
Introduction to RADIUS Protocol Presented By: Hiral Shah Varsha Mahalingappa
RADIUS Introduction : RADIUS is an application level protocol that carries authentication, authorization and configuration information between a Network Access Server (NAS) and a Shared Authentication Server. Transport protocol - UDP ¨ UDP Port 1812 – Authentication ¨ UDP Port 1813 - Accounting Key Features of RADIUS : ¨ Client Server model ¨ Network Security ¨ Flexible Authentication mechanism ¨ Extensible protocol
Terminology : Access-Reject ¨ Service Access-Challenge ¨ Session Accounting-Request ¨ Silently discard Accounting-Response ¨ Access-Request ¨ Access-Accept
RADIUS Overview : Authentication User Radius Request Client Username & Password Authentication Acknowledgement Radius Server
Authentication and Authorization : Access Request Frame Radius Client Access-Reject or Access-Challenge or Access-Accept Radius Server
Accounting ¨ Key : Access Request, Access-Reject, an Access-Challenge or an Access-Accept ¨ Built-in accounting schemes: – Unix accounting • Accounting data are stored in files and can be viewed using radwho and radlast commands – Detailed accounting • The detailed accounting information is stored in plain text format. The resulting files can easily be parsed using standard text processing tool. – SQL accounting • information stores it in an SQL database, processed using standard SQL queries. ¨ Radius is extensible
Packet Frame: ¨ Details – Code – Identifier – Length – Authenticator - Value used to authenticate the reply from the RADIUS server – Attributes - The data
Client Server Sequence • • • NAS sends encrypted user info with access request Access accept with IP-address, network mask, allowed session time, etc Accounting Phase starts with Accounting Request When user logs out accounting phase ends with NAS sending an 'Accounting-request (Stop)' with some additional information. The RADIUS Server responds with an 'Accounting-response' when the accounting information is stored.
Limitations ¨ Response Authenticator Based Shared Secret Attack – Attacker listens to requests and server responses, and pre-compute MD 5 state, which is the prefix of the response authenticator: MD 5(Code+ID+Length+Req. Auth+Attrib) – Perform an exhaustive search on shared secret, adding it to the above MD 5 state each time. ¨ User-Password Attribute Based Shared Secret Attack – Perform an exhaustive search on shared secret. – The attacker attempts a connection to the NAS, and intercepts the accessrequest. ¨ User-Password Based Password Attack – Performs an exhaustive / dictionary attack on password, XORing it with above MD 5 and sending it each time in appropriate attribute. – Possible due to no authentication on request packet.
Limitations Continued… ¨ Shared Secret Hygiene – Viewed as single client – Small key size enabling easy attack ¨ Request Authenticator Based Attacks – Passive User-Password Compromise through Repeated Request Authenticators – Active User-Password Compromise through Repeated Request Authenticators • Attacker builds a dictionary as before. • When he predicts he can cause NAS to use a certain Req. Auth, he tries to connect it and intercepts access-request. ¨ Replay of Server Responses through Repeated Request Authenticators – The attacker builds a dictionary with Req. Auth, ID and entire server response. – Most server responses will be access-accept.
Conclusion ¨ RADIUS is a remote authentication protocol. ¨ RADIUS is a de-facto standard for remote authentication. ¨ RADIUS is an extensible protocol, and can support many authentication methods (e. g. EAP). ¨ RADIUS has several weaknesses. – Usage of stream cipher – Transaction of Access-Request not authenticated at all – The RADIUS specification should require each client use a different Shared Secret. It should also require the shared secret to be a random bit string at least 16 octets long that is generated by a PRNG. ¨ DIAMETER brought in to replace RADIUS and fix some of the flaws • Uses TCP • Better transmission level security using IPSEC
References ¨ Radius can be downloaded from http: //ftp. gnu. org/gnu/radius/ ¨ http: //www. panasia. org. sg/conf/pan/c 001 p 028. htm ¨ ¨ http: //www. ietf. org/rfc 2865. txt ¨ ¨ ¨ http: //www. ietf. org/rfc 2866. txt http: //www. gnu. org/software/radius. html http: //www 2. rad. com/networks/2000/radius/home. htm
- Slides: 12