Allowing any NAS to connect to my radiusd.

Marcin Jessa lists at yazzy.org
Fri Jul 15 13:09:35 CEST 2005


On Fri, 15 Jul 2005 11:42:57 +0100
"Guy Davies" <Guy.Davies at telindus.co.uk> wrote:

> Hi Marcin,
> 
> You can create a subnet in clients.conf (e.g. 10.10.10.0/24) that can
> use the same key.  I think that doing 0.0.0.0/0 would be a very bad plan
> since it only requires that an attacker know the shared key to be able
> to send valid requests.  Since all your devices are matched by a single
> entry then *all* your devices by definition must use the same key 
Good point, they'd need the same key.

>and it
> becomes more likely that the knowledge of that key will "get out" and
> you'll have the tedious task (if you even notice) of changing the secret
> key on every single NAS.
> 
> If you can constrain it to a small subnet, then that's slightly better
> (although still somewhat risky).
> 
> The best method is to have individual clients listed with *unique* keys
> per client (yes, I know this is a real pain but if you want security
> this is about the best you can do with the limited security afforded by
> the shared key).

I know how things work, I was just wondering about the approach since that would make some things easier for me.
What other risks does one run when others to query your radiusd ?
I dont think dictionary checks are that useful since passwords and username are all pretty long and use special characters.
Could this have a more serious impact on the server like DOS or such ?

 
> Rgds,
> 
> Guy
> 
> > -----Original Message-----
> > From: freeradius-users-bounces at lists.freeradius.org 
> > [mailto:freeradius-users-bounces at lists.freeradius.org] On 
> > Behalf Of Marcin Jessa
> > Sent: 15 July 2005 11:29
> > To: FreeRadius
> > Subject: Allowing any NAS to connect to my radiusd.
> > 
> > 
> > Hi.
> > 
> > I would like to allow any NAS IP to connect to my radius 
> > server restricting connections from NAS only with shared 
> > secret - username and password. Is it possible to use 0.0.0.0 
> > or ANY in clients.conf/SQL nas table ? What are the security 
> > issues having an open setup like that ?
> > 
> > Cheers
> > Marcin Jessa.
> > - 
> > List info/subscribe/unsubscribe? See 
> > http://www.freeradius.org/list/users.html
> > 
> 
> This e-mail is private and may be confidential and is for the intended recipient only.  If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed.  If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it.  We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free.  You should undertake your own virus checking.  The right to monitor e-mail communications through our network is reserved by us. 
> 
> 
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list