At 11:44 AM 3/4/2003 +0100, Paul Dekkers wrote:
When using a radius server to proxy realms to different servers, you of course need a trusted relationship between the servers. (That's why there is a shared secret.) But what if one of the radius-servers is hacked or abused in any way: it looks to me that that single radius server is then capable of doing an attack on the whole Radius-infrastructure. You can just do an dictionary attack on a user you know about in a different network, through the proxy.
Is this true? Is it possible to prevent this kind of attacks on the proxy-ing radius server? Is the best solution to prevent any proxy-depth in the proxy-ing server by e.g. not proxy-ing subrealms but just realms?
Have you tried sending a request to a FreeRADIUS proxy from a server that is listed only in the 'proxy.conf' file?
No: I assume that is not possible. (But proxy-ing can also be bi-directional I guess: the server that forwards a request to a RADIUS proxy-server has to be a client, but can be an proxy for a realm too.)
But ANY client connecting to the proxy can check credentials for EVERY realm connected to that infrastructure, correct? (And known by the central RADIUS proxy, of course.)
Bottomline: is it desired in this setup to verify credentials on e.g. employee's home Access-Points via Radius (when they configure the RADIUS themselves, and thus know a secret)? In my option they can exploit this.
Please run this test before proclaiming that it is vulnerable in this manner.
Sorry, I was just wondering if this thought was right. I did some tests now, and I'll try to make clearer what I meant:
When an AP connects to a local RADIUS server for authentication, that RADIUS server forwards requests for realms it doesn't know about to an central proxy. On that central proxy there has to be an client entry for that first RADIUS server (the server that is accessed by the AP), and an proxy entry for every realm the proxy knows about.
I was wondering if, when the AP is hacked, or the first RADIUS server is hacked, (or the secret is simply known and the NAS is replaced by a laptop) there can be ANY request for any known realm to the central proxy. I think even using a simple radtest I can see if the password of the remote user is correct or not. It's like accessing a pop3-server many times (sometimes that's restricted through inetd) to find out one's password, there is of course a timeout, but I think when forking many clients this IS possible.
Other server that make no distinction between 'clients' ( which are allowed
to *send* requests ) and 'proxy' ( which are allowed to *reply* to
requests ) may be vulnerable in the manner you mention, however.
I haven't seen them. In Radiator, the only other RADIUS-server I know about, there are realm entries for forwarding to other servers, and client-entries, just as in FreeRadius. I tested this setup by checking with radtest via freeradius1 proxied through freeradius2 and then proxied to an radiator server where the realm was finally checked: I guess this kind of setup works, and one has to be very restrictive about RADIUS-clients: e.g. not every home AP of employees of an company should check credentials via RADIUS?! In this setup any part of the infrastructure can be a weak point.
Any input is appreciated,
Paul
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
