RADIUS

Remote Authentication Dial-In User Service.

The network access device operates as a client of RADIUS.

RADIUS servers are responsible for:

Receiving user connection requests.
Authenticating the user.
Return all configuration information necessary for the client to deliver service to the user.

Transactions between the client and the RADIUS server are authenticated using a shared secret.

Supports a variety of methods to authenticate a user.

PAP, CHAP, or MS-CHAP, UNIX login, and other authentication mechanisms.

Combines Authentication and Authorization. Separates Accounting (less flexible than TACACS+).

Uses UDP (less robust).

Unidirectional authentication.

Only encrypts the password (less secure).

RADIUS accounting can hold more information.

Packet

Code - Identifies the type of RADIUS packet.

(1) Access-Request,
(2) Access-Accept,
(3) Access-Reject,
(4) Accounting-Request,
(5) Accounting-Response,
(11) Access-Challenge.

Identifier - Allows the RADIUS client to match a RADIUS response with the correct pending request (usually implemented as a counter).

Authenticator.

In client Requests – Random value.
In server Responses - MD5 Hash function of (Code, ID, Length, Request Auth, Attributes, Shared Secret).

Attributes - Section where an arbitrary number of attribute fields can be sent.

e.g: User-Name and User-Password attributes.

Protocol

Only the password is encrypted.

The shared secret followed by the Request Authenticator is put through an MD5 hash to create a 16 octet value which is XORed with the password entered by the user.
If the user password is greater than 16 octets, the password is broken into 16-octet blocks and additional MD5 calculations are performed.

The RADIUS protocol has a set of vulnerabilities.

The Access-Request packet is not authenticated at all.
Many client implementations do not create Request Authenticators that are sufficiently random.
Many administrators choose RADIUS shared secrets with insufficient information entropy and many implementations limit the shared secret key space.

PreviousTACACS+NextDIAMETER

Last updated 1 year ago

Packet

Code - Identifies the type of RADIUS packet.

(1) Access-Request,

(2) Access-Accept,

(3) Access-Reject,

(4) Accounting-Request,

(5) Accounting-Response,

(11) Access-Challenge.

Identifier - Allows the RADIUS client to match a RADIUS response with the correct pending request (usually implemented as a counter).

Authenticator.

In client Requests – Random value.

In server Responses - MD5 Hash function of (Code, ID, Length, Request Auth, Attributes, Shared Secret).

Attributes - Section where an arbitrary number of attribute fields can be sent.

e.g: User-Name and User-Password attributes.

Protocol

Only the password is encrypted.

The shared secret followed by the Request Authenticator is put through an MD5 hash to create a 16 octet value which is XORed with the password entered by the user.

If the user password is greater than 16 octets, the password is broken into 16-octet blocks and additional MD5 calculations are performed.

The RADIUS protocol has a set of vulnerabilities.

The Access-Request packet is not authenticated at all.

Many client implementations do not create Request Authenticators that are sufficiently random.

Many administrators choose RADIUS shared secrets with insufficient information entropy and many implementations limit the shared secret key space.