On Fri, Nov 21, 2003, Chris Parker wrote: >At 11:18 AM 11/21/2003, Bill Campbell wrote: >>On Fri, Nov 21, 2003, Alan DeKok wrote: >>>Oliver Graf <[EMAIL PROTECTED]> wrote: >>>> > With that said, 0.9.3 has been released. It's in the normal places: >>>> >>>> I submitted a security report and a new package ebuild to the gentoo >>>> ( http://gentoo.org/ ) community. >>> >>> Thanks. This just re-iterates my beleif that RADIUS servers should >>>on private networks, far away from any possible source of malicious >>>packets. >> >>Either that, or packet filters that restrict the hosts that can >>access the radius servers. > >Wouldn't work in this case, since packets are UDP a packet with spoofed >source of a valid client will pass the filter. :\ All you'd need to >DOS a radius server is a valid client IP. The RADIUS protocol makes >it very hard to enforce additional restrictions, as the packet format >is all in cleartext ( excepting certain Password attributes ) with >no validation or signing.
It's kinda hard to have the radius server on a private network if it's doing authentication for wholesale dialup connections :-).
Yes. Kinda a problem there. However, an Auth-Req from a proxy target will not match the clients list and will be discarded. You could run a private network between the NAS and the Radius, but then Radius running on multihomed systems has always been interesting. Certainly doable though, given enough time.
IPSec is another tool that could help.
Or they're running Nortel (Bay) Annex boxes which use broken MD5 hashes, and Nortel makes it difficult to get updated software.
That's a problem with Nortel. If the rest of the world can figure out how to do Radius securely and safely, we shouldn't compromise the whole for the few that can't figure out how to follow the RFC's.
-Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless! \ Director, Engineering | @ @ | \ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\------------------------------------------------------ \ Wholesale Internet Services - http://www.megapop.net
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
