[cisco-bba] Re: [cisco-nas] >255 radius requests = bug?
Aaron at Cisco.COM
Fri May 28 17:40:13 EDT 2004
Sure sounds like this is a security anomaly.
The good news is that this problem is addressed in current
IOS (12.2(11)T and above) via CSCdu53246, "RADIUS - ID wraparounds
should use new source ports".
> LNS terminating 500+ adsl users.
> The tunnel goes down/up, so all users are trying again to authenticate simultaneusly.
> Radius server isn't able to handle all those requests, so some udp packets are dropped.
> Router has to retransmit all these requests that aren't replied.
> Since unique-id is only 8 bits, we can have 255 concurrent unique access-requests.
> Router sends a access-request using an id and at the same time the radius is using the same id
> in order to reply to the router for a previous request (which also had this id).
> So the router thinks that this reply from the radius is about the last request,
> but this is actually for the previous request (both had the same id).
> The result
> A user which is not allowed to login, will be authenticated normally and
> will get all radius attributes of another user (who is allowed to login)!!!
> Can the above result be considered a bug from router's side?
> Is this the way radius authentication is supposed to work?
> If yes, how can something like this be considered secure?
More information about the cisco-bba