At 08:39 AM 5/15/2002 -0700, Bill Campbell wrote:
>On Wed, May 15, 2002 at 08:58:17AM -0500, Chris Parker wrote:
> >At 03:18 PM 5/15/2002 +1000, Andrew Tait wrote:
> >>http://www.untruth.org/~josh/security/radius/radius-auth.html
> >>
> >>For those interested in finding out how easy.
> >
> >All predicated on the assumption that the attacker has access to the
> >network traffic between the client ( NAS ) and the radius server. Like
> >I said before, if an attacker has access to your network in such a manner
> >there are *lot* of interesting things they can do, cracking radius is
> >just one of them. :)
>
>The attacker doesn't necessarily have to have access to your net if say the
>radius traffic originates from a dialup wholesaler like megapop.
Didn't say they had to be on your LAN, they just need to be able to "snoop"
traffic anywhere between you and the radius client talking to your server.
Using a wholesaler ( btw, I work for StarNet/MegaPOP ) shouldn't expose you
to anymore susceptibility ( unless you don't trust the path between us ).
That could be solved by establishing an IPSec tunnel between our radius
and your servers, setting up a direct network connection ( peering point )
for exchange of radius/authentication traffic, or installing a server
at our colo facility so auth traffic never crosses a third-party network.
> Anybody making NAS boxes that support IPSec tunnelling?
Yes, but the number that support IPSec tunneling of radius packets is
about equal to the number that support EAP authentication. :\
-Chris
--
\\\|||/// \ StarNet Inc. \ Chris Parker
\ ~ ~ / \ WX *is* Wireless! \ Director, Engineering
| @ @ | \ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\------------------------------------------------------
\ Wholesale Internet Services - http://www.megapop.net
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
