hi
> >> When using a radius server to proxy realms to different servers, you > >> of course need a trusted relationship between the servers. (That's > >> why there is a shared secret.) But what if one of the radius-servers > >> is hacked or abused in any way: it looks to me that that single > >> radius server is then capable of doing an attack on the whole > >> Radius-infrastructure. You can just do an dictionary attack on a user > >> you know about in a different network, through the proxy. when you presume that the proxy server can be hacked, why don't you presume directly that the home server can be hacked too, thus revealing all user secrets whatsoever (using CHAP e.g.)? additionally, why trying to find something out about user accounts? you can simply login as whatever user, since you can send an Accept from your proxy server, without proxying whatsoever. otherwise are interested in user data (and can mount that type of attacks), what's the point in hacking proxy servers? hack the central element directly! or just read its data base. or go and kill its admin and install your own users ;-) kidding. look: no protocol in the world and no security system can stand the attack where one *trusted* point is completely taken over by an attacker, by definition. it results in at least partial breakdown. it's like losing the keys to your penthouse - you have to replace the lock. the point about invasing the whole infrastructure is not true though. the proxy server can send wrong requests to every home server which it has a trust relationship with but you can always configure your home server to only accept some limited number of requests per minute making it difficult to find out the secret. additionally, the user could use something like EAP/TLS and thus simple not have any shared secrets. and: after having received 10000 wrong requests for some user from your hacked proxy server, a reasonable home server administrator WILL become suspisious and perhaps block your proxy server. that would be a great deal of DoS but so what? it is hacked anyway, so it's correct. all this is out of the scope of RADIUS though. problems in radius security exist but this is imho not the point. ciao artur PS Simon, you *should* learn Russian just to read War & Peace in original ;-) (ah) -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
