[cisco-bba] RE: [cisco-nas] >255 radius requests = bug?

achatz at forthnet.gr achatz at forthnet.gr
Fri May 28 19:15:12 EDT 2004


Hi Aaron,

Since i cannot see the bug notes, could you please paste here its release notes (if any)?

Does it have anything to do with "radius-server source-ports extended"?

 

Also, from RFC 2865:

"A NAS MAY use the same ID across all servers, or MAY keep track of IDs separately for each server, it is up to the implementer. If a NAS needs more than 256 IDs for outstanding requests, it MAY use additional source ports to send requests from, and keep track of IDs for each source port. This allows up to 16 million or so outstanding requests at one time to a single server."

I don't want to seem "bad" ( :-D ), but does this mean that Cisco implemented "MAY use additional source ports..." just lately?

 

-----Original Message----- 
From: Aaron Leonard [mailto:Aaron at Cisco.COM] 
Sent: Sat 5/29/2004 12:40 AM 
To: achatz at forthnet.gr 
Cc: cisco-bba at puck.nether.net; cisco-nas at puck.nether.net 
Subject: Re: [cisco-nas] >255 radius requests = bug?



Hi Tassos,

Sure sounds like this is a security anomaly.

The good news is that this problem is addressed in current
IOS (12.2(11)T and above) via CSCdu53246, "RADIUS - ID wraparounds
should use new source ports".

Aaron


> -------------
> LNS terminating 500+ adsl users.
> The tunnel goes down/up, so all users are trying again to authenticate simultaneusly.
> Radius server isn't able to handle all those requests, so some udp packets are dropped.
> Router has to retransmit all these requests that aren't replied.
> Since unique-id is only 8 bits, we can have 255 concurrent unique access-requests.

> Router sends a access-request using an id and at the same time the radius is using the same id
> in order to reply to the router for a previous request (which also had this id).
> So the router thinks that this reply from the radius is about the last request,
> but this is actually for the previous request (both had the same  id).

> The result
> ----------
> A user which is not allowed to login, will be authenticated normally and
> will get all radius attributes of another user (who is allowed to login)!!!

> Can the above result be considered a bug from router's side?
> Is this the way radius authentication is supposed to work?
> If yes, how can something like this be considered secure?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://puck.nether.net/pipermail/cisco-bba/attachments/20040529/7928fd1b/attachment.html


More information about the cisco-bba mailing list