Duplicate IPs for Radius Clients with different secrets -allow any client IP?

Anders Holm anders.holm at sysadmin.ie
Wed Dec 17 23:46:05 CET 2008


tnt at kalik.net wrote:
>> What could a hacker do to the server if he can't even get passed returning a
>> correct shared secret?
>>     
>
> Get the usernames and passwords of your users and gain access to your
> network at will. Publish them and let anybody use your network.
>
>   

Internet for free. Sounds great. Here's one example, is this you?

      Geier, Eric  me at egeier.com
      297 Marchmont Drive
      Fairborn, Ohio 45324
      United States
      +1.9372600286

First Google hit:

http://www.informit.com/authors/bio.aspx?a=AFEDE263-5156-4C97-AD8E-5E4473511557

Interesting list of books on your site.

"Say I did open up to any IP, the AP's MAC must match one from my list;
moreover the hacker must have the shared secret. Plus if I can add to the
example SQL statement, I would add to the WHERE clause "and domain =(domain
pulled from what's after the username's @ sign). Then the hacker must know a
username and domain that matches an acceptable AP, the user's password, that
acceptable AP's MAC address, and then finally the shared secret for the AP. "

So, because a lot of hurdles are put in front of someone that should stop them? If so, I would never be where I am today. All that does is challenges your adversaries intellect, and let us face reality a bit, the ones that knows what they do would take that challenge on any day. Put a carrot in front of a donkey, and it'll get eaten. Put a lot of carrots in front of the donkey and they'll still get eaten, it'll just take slightly longer.

I can't see how putting your authentication and authorization system in the wild will help you, other than saving a buck on setting up VPNs between your sites. Which can also be done cheaply if cost is the motivator.

Don't put an infrastructure piece like this sit in the open if you use it for your internal purposes. Wouldn't you agree?

//anders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081217/99367562/attachment.html>


More information about the Freeradius-Users mailing list