Lecture 3.1: Handling Remote Access: RADIUS Motivation

packet format 

Code: type of radius packet 

1 Access-Request 

Identifier: match requests with responses 

IP src and UDP src also help matching 

Length 

2 

3 

Access-Accept 

Access-Reject 

minimum 20, maximum 4096 

4 Accounting-Request 

Authenticator: 

used to authenticate reply from server 

Used in user password-hiding algorithm 

Attributes: extensible information field 

5 

11 

Accounting-Response 

Access-Challenge 

Turned out not being extensible 

enough with “only” 256 types… type len value ……… type len value 

code 

1 byte 

identifier 

1 byte 

length 

2 byte 

IP header UDP header RADIUS PACKET 

Giuseppe Bianchi 

authenticator 

16 byte 

Code 

(dec) 

Packet 

attributes 

*** 

Packet authentication 

Request Authenticator 

In Access-Request (CS) 

16 randomly generated bytes 

unpredictable and unique (over the lifetime of shared C/S secret) 

» To avoid replay attack 

Response Authenticator 

In Access-Accept/Reject/Challenge packets (SC) 

One-way MD5 hash of 

the request authenticator, 

the shared secret, 

the packet response information 

» Response packet is signed! Otherwise packet tampering possible! 

Specifically: 

MD5(Code | ID | Length | RequestAuth | Attributes | Secret) 

Giuseppe Bianchi 

5

Previous page

Next page

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

Lecture 3.1: Handling Remote Access: RADIUS Motivation

Create successful ePaper yourself

Delete template?

Save as template?