[cisco-bba] RE: [cisco-nas] >255 radius requests = bug?

Aaron Leonard Aaron at Cisco.COM
Fri May 28 19:20:01 EDT 2004

> Hi Aaron,

> Since i cannot see the bug notes, could you please paste here its release notes (if any)?

No, it doesn't have any release notes.  Someone else told me today
that he was going to take a look at documenting the new RADIUS behavior.

> Does it have anything to do with "radius-server source-ports extended"?

Hm, I think it does.  When the CSCdu53246 fix first appeared in
12.2(11)T, the default behavior was the "radius-server source-ports extended".
It looks like maybe this was changed in 12.3(4) when 
"radius-server source-ports extended" was added.

> Also, from RFC 2865:

> "A NAS MAY use the same ID across all servers, or MAY keep track of IDs
> separately for each server, it is up to the implementer. If a NAS needs more
> than 256 IDs for outstanding requests, it MAY use additional source ports to
> send requests from, and keep track of IDs for each source port. This allows up
> to 16 million or so outstanding requests at one time to a single server."

> I don't want to seem "bad" ( :-D ), but does this mean that Cisco implemented
> "MAY use additional source ports..." just lately?

That would be a reasonable infererence.


> -----Original Message-----
> From: Aaron Leonard [mailto:Aaron at Cisco.COM]
> Sent: Sat 5/29/2004 12:40 AM
> To: achatz at forthnet.gr
> Cc: cisco-bba at puck.nether.net; cisco-nas at puck.nether.net
> Subject: Re: [cisco-nas] >255 radius requests = bug?

> Hi Tassos,

> Sure sounds like this is a security anomaly.

> The good news is that this problem is addressed in current
> IOS (12.2(11)T and above) via CSCdu53246, "RADIUS - ID wraparounds
> should use new source ports".

> Aaron

> > -------------
> > LNS terminating 500+ adsl users.
> > The tunnel goes down/up, so all users are trying again to authenticate simultaneusly.
> > Radius server isn't able to handle all those requests, so some udp packets are dropped.
> > Router has to retransmit all these requests that aren't replied.
> > Since unique-id is only 8 bits, we can have 255 concurrent unique access-requests.

> > Router sends a access-request using an id and at the same time the radius is using the same id
> > in order to reply to the router for a previous request (which also had this id).
> > So the router thinks that this reply from the radius is about the last request,
> > but this is actually for the previous request (both had the same  id).

> > The result
> > ----------
> > A user which is not allowed to login, will be authenticated normally and
> > will get all radius attributes of another user (who is allowed to login)!!!

> > Can the above result be considered a bug from router's side?
> > Is this the way radius authentication is supposed to work?
> > If yes, how can something like this be considered secure?

More information about the cisco-bba mailing list