Lecture 3.1: Handling Remote Access: RADIUS Motivation

More documents

Recommendations

Info

Giuseppe Bianchi RADIUS Provides centralized AAA functionalities Authentication are you really the one you claim to be? Authorization Do you have permissions to access a service? Accounting what are you currently doing/using/paying? » Transmitted bytes, billing, etc Client-Server protocol NAS acts as RADIUS client 1 primary server (0+ secondary servers - replicated) Management of replicated servers implementation dependent Server may in turns act as a proxy Based on UDP/IP Server port 1812 (client port ephemeral, as usual in C/S) RADIUS architecture RADIUS Server application Registered User Database For each entry (user_name), contains (at least): Authentication information (secrets) Authentication Method » One per user! Otherwise attacker would negotiate the least secure method from among a set » If multiple authentication methods provided, much better use distinct user names! Authorization attributes (access profile per each user) Client database Cliends which are entitled to communicate with the server Accounting Database Whhen radius used for accounting Frequently used only for authentication Giuseppe Bianchi 2
RADIUS Security features Per-packet authenticated reply Transactions are authenticated through the use of a shared key between RADIUS server and RADIUS clients Shared Key never sent over the network Per-packet 16-bytes signature Encrypted user password transmission Same shared key used to transmit user passwords Remaining information transmitted in clear text Giuseppe Bianchi PPP ISP NAS Giuseppe Bianchi RADIUS scenario RADIUS server 1. User sends authentication attributes to NAS 2. NAS wraps them into Access-Request sent to Server 3. Server response: OK, NO, Challenge (for some AUTH) if Y, user profile, authorization and config data added 4. NAS notifies user 3 Response Access-Request 2 4 1 3
Page 1: Giuseppe Bianchi Lecture 3.1: Handl
Page 5 and 6: packet format Code: type of radius
Page 7 and 8: Native User-Password Step 1: paddin
Page 9 and 10: PPP CHAP support with RADIUS CHAP
Page 11 and 12: Properties of a good hash function
Page 13 and 14: Message digest size Must be conside
Page 15 and 16: RADIUS Security Weaknesses Recommen
Page 17 and 18: Attack to shared secret based on Us
Page 19 and 20: poor PRNG implementations Attack to
Page 21 and 22: Giuseppe Bianchi Giuseppe Bianchi A
Page 23 and 24: Why “duplicating duplicating”
Page 25: Diameter improvements at a glance /

Lecture 3.1: Handling Remote Access: RADIUS Motivation

Create successful ePaper yourself

Delete template?

Save as template?