Lecture 3.1: Handling Remote Access: RADIUS Motivation
Lecture 3.1: Handling Remote Access: RADIUS Motivation
Lecture 3.1: Handling Remote Access: RADIUS Motivation
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
packet format<br />
Code: type of radius packet<br />
1 <strong>Access</strong>-Request<br />
Identifier: match requests with responses<br />
IP src and UDP src also help matching<br />
Length<br />
2<br />
3<br />
<strong>Access</strong>-Accept<br />
<strong>Access</strong>-Reject<br />
minimum 20, maximum 4096<br />
4 Accounting-Request<br />
Authenticator:<br />
used to authenticate reply from server<br />
Used in user password-hiding algorithm<br />
Attributes: extensible information field<br />
5<br />
11<br />
Accounting-Response<br />
<strong>Access</strong>-Challenge<br />
Turned out not being extensible<br />
enough with “only” 256 types… type len value ……… type len value<br />
code<br />
1 byte<br />
identifier<br />
1 byte<br />
length<br />
2 byte<br />
IP header UDP header <strong>RADIUS</strong> PACKET<br />
Giuseppe Bianchi<br />
authenticator<br />
16 byte<br />
Code<br />
(dec)<br />
Packet<br />
attributes<br />
***<br />
Packet authentication<br />
Request Authenticator<br />
In <strong>Access</strong>-Request (CS)<br />
16 randomly generated bytes<br />
unpredictable and unique (over the lifetime of shared C/S secret)<br />
» To avoid replay attack<br />
Response Authenticator<br />
In <strong>Access</strong>-Accept/Reject/Challenge packets (SC)<br />
One-way MD5 hash of<br />
the request authenticator,<br />
the shared secret,<br />
the packet response information<br />
» Response packet is signed! Otherwise packet tampering possible!<br />
Specifically:<br />
MD5(Code | ID | Length | RequestAuth | Attributes | Secret)<br />
Giuseppe Bianchi<br />
5