[cisco-bba] Re: [cisco-nas] >255 radius requests = bug?

Tassos Chatzithomaoglou achatz at forthnet.gr
Fri May 28 20:37:03 EDT 2004

Hi Dennis,

As it seems, you're watching my tac case too? ;-)

Dennis Peng wrote:
> achatz at forthnet.gr [achatz at forthnet.gr] wrote:
>>The scenario
>>LNS terminating 500+ adsl users.
>>The tunnel goes down/up, so all users are trying again to authenticate simultaneusly.
>>Radius server isn't able to handle all those requests, so some udp packets are dropped.
>>Router has to retransmit all these requests that aren't replied.
>>Since unique-id is only 8 bits, we can have 255 concurrent unique access-requests.
>>Router sends a access-request using an id and at the same time the radius is using the same id 
>>in order to reply to the router for a previous request (which also had this id). 
>>So the router thinks that this reply from the radius is about the last request, 
>>but this is actually for the previous request (both had the same  id).
> This cannot happen. Each Access-Request the router sends has a random
> number in the Request-Authenticator. When the RADIUS server responds,
> the Message-Authenticator contains a hash of the RADIUS reply along
> with Request-Authenticator and other fields. If the router has more
> then one transaction outstanding for a particular transaction id, it
> will try to decrypt the response packet with each of the outstanding
> Request-Authenticator's which used that transaction id. Only the
> "correct" Access-Request would have the right Request-Authenticator to
> decrypt the packet. So you may see "decrypt" failures in the debug
> logs, however, eventually we will match to the right one.

Although i did saw some decrypt failures, the wrong user (who was not supposed to login, 
since radius was rejecting him) did get the access-accept attributes (which belonged to 
another user!!!) and so he logged in.

>>The result
>>A user which is not allowed to login, will be authenticated normally and 
>>will get all radius attributes of another user (who is allowed to login)!!!
> The problem you are seeing may be a result of low memory. Your logs
> show a failure to insert attributes in the RADIUS database, which is
> usually caused by a lack of free memory. Have you looked at "show mem"
> after one of these events to see if the amount of free memory was low?

I have never seen it fall under 70/15 MB....so can i suppose we don't have a problem here?

>>Can the above result be considered a bug from router's side?
>>Is this the way radius authentication is supposed to work?
> Because the transaction id number space is so limited (256 as you
> mention), we extended our scalability by the use of multiple source
> ports in later code so that bulk transactions with the RADIUS server
> work better. Depending on what version of code you are running, this
> may be on by default. In most recent code, we try to maintain backward
> compatibility, so you have to configure the command "radius-server
> source-ports extended". We will use source ports in the range from
> 21645 to 21844 in that case.
> Dennis
>>If yes, how can something like this be considered secure?

Since i'm already discussing (through my case) it with Irfan and cisco-nas guys are also 
part of the escalation team (quite a relief...), i believe it would be better to stop the 
mails in this list and continue through my case. Glad to see you Dennis ;-)

>>cisco-nas mailing list
>>cisco-nas at puck.nether.net

       Chatzithomaoglou Anastasios
Network Design & Development Department
              FORTHnet S.A.
          <achatz at forthnet.gr>

More information about the cisco-bba mailing list