[cisco-bba] >255 radius requests = bug?

achatz at forthnet.gr achatz at forthnet.gr
Fri May 28 17:01:34 EDT 2004


The scenario
-------------
LNS terminating 500+ adsl users.
The tunnel goes down/up, so all users are trying again to authenticate simultaneusly.
Radius server isn't able to handle all those requests, so some udp packets are dropped.
Router has to retransmit all these requests that aren't replied.
Since unique-id is only 8 bits, we can have 255 concurrent unique access-requests.
 
Router sends a access-request using an id and at the same time the radius is using the same id 
in order to reply to the router for a previous request (which also had this id). 
So the router thinks that this reply from the radius is about the last request, 
but this is actually for the previous request (both had the same  id).
 
The result
----------
A user which is not allowed to login, will be authenticated normally and 
will get all radius attributes of another user (who is allowed to login)!!!
 
Can the above result be considered a bug from router's side?
Is this the way radius authentication is supposed to work?
If yes, how can something like this be considered secure?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://puck.nether.net/pipermail/cisco-bba/attachments/20040529/8ab67c21/attachment.html


More information about the cisco-bba mailing list