AW: Allowing any NAS to connect to my radiusd.

Marc.Werner at t-systems.com Marc.Werner at t-systems.com
Fri Jul 15 13:27:11 CEST 2005


>From the security point of it would be easier to launch some type of non-repudiation attacks without the need of spoofing I think. The shared secret can easily be recovered by sniffing some RADIUS traffic and decrypting it. I think this is even mentioned in the RFC. 
So removing one lock and only leaving an unsecure lock isn't a good idea I think...

Rgds Marc

-----Ursprüngliche Nachricht-----
Von: freeradius-users-bounces at lists.freeradius.org [mailto:freeradius-users-bounces at lists.freeradius.org] Im Auftrag von Marcin Jessa
Gesendet: Freitag, 15. Juli 2005 13:10
An: FreeRadius users mailing list
Cc: Guy.Davies at telindus.co.uk
Betreff: Re: Allowing any NAS to connect to my radiusd.

On Fri, 15 Jul 2005 11:42:57 +0100
"Guy Davies" <Guy.Davies at telindus.co.uk> wrote:

> Hi Marcin,
> 
> You can create a subnet in clients.conf (e.g. 10.10.10.0/24) that can
> use the same key.  I think that doing 0.0.0.0/0 would be a very bad plan
> since it only requires that an attacker know the shared key to be able
> to send valid requests.  Since all your devices are matched by a single
> entry then *all* your devices by definition must use the same key 
Good point, they'd need the same key.

>and it
> becomes more likely that the knowledge of that key will "get out" and
> you'll have the tedious task (if you even notice) of changing the secret
> key on every single NAS.
> 
> If you can constrain it to a small subnet, then that's slightly better
> (although still somewhat risky).
> 
> The best method is to have individual clients listed with *unique* keys
> per client (yes, I know this is a real pain but if you want security
> this is about the best you can do with the limited security afforded by
> the shared key).

I know how things work, I was just wondering about the approach since that would make some things easier for me.
What other risks does one run when others to query your radiusd ?
I dont think dictionary checks are that useful since passwords and username are all pretty long and use special characters.
Could this have a more serious impact on the server like DOS or such ?

 
> Rgds,
> 
> Guy
> 
> > -----Original Message-----
> > From: freeradius-users-bounces at lists.freeradius.org 
> > [mailto:freeradius-users-bounces at lists.freeradius.org] On 
> > Behalf Of Marcin Jessa
> > Sent: 15 July 2005 11:29
> > To: FreeRadius
> > Subject: Allowing any NAS to connect to my radiusd.
> > 
> > 
> > Hi.
> > 
> > I would like to allow any NAS IP to connect to my radius 
> > server restricting connections from NAS only with shared 
> > secret - username and password. Is it possible to use 0.0.0.0 
> > or ANY in clients.conf/SQL nas table ? What are the security 
> > issues having an open setup like that ?
> > 
> > Cheers
> > Marcin Jessa.
> > - 
> > List info/subscribe/unsubscribe? See 
> > http://www.freeradius.org/list/users.html
> > 
> 
> This e-mail is private and may be confidential and is for the intended recipient only.  If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed.  If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it.  We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free.  You should undertake your own virus checking.  The right to monitor e-mail communications through our network is reserved by us. 
> 
> 
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list