[cisco-bba] Re: [cisco-nas] >255 radius requests = bug?
Tassos Chatzithomaoglou
achatz at forthnet.gr
Fri May 28 20:37:03 EDT 2004
Hi Dennis,
As it seems, you're watching my tac case too? ;-)
Dennis Peng wrote:
> achatz at forthnet.gr [achatz at forthnet.gr] wrote:
>
>>The scenario
>>-------------
>>LNS terminating 500+ adsl users.
>>The tunnel goes down/up, so all users are trying again to authenticate simultaneusly.
>>Radius server isn't able to handle all those requests, so some udp packets are dropped.
>>Router has to retransmit all these requests that aren't replied.
>>Since unique-id is only 8 bits, we can have 255 concurrent unique access-requests.
>>
>>Router sends a access-request using an id and at the same time the radius is using the same id
>>in order to reply to the router for a previous request (which also had this id).
>>So the router thinks that this reply from the radius is about the last request,
>>but this is actually for the previous request (both had the same id).
>
>
> This cannot happen. Each Access-Request the router sends has a random
> number in the Request-Authenticator. When the RADIUS server responds,
> the Message-Authenticator contains a hash of the RADIUS reply along
> with Request-Authenticator and other fields. If the router has more
> then one transaction outstanding for a particular transaction id, it
> will try to decrypt the response packet with each of the outstanding
> Request-Authenticator's which used that transaction id. Only the
> "correct" Access-Request would have the right Request-Authenticator to
> decrypt the packet. So you may see "decrypt" failures in the debug
> logs, however, eventually we will match to the right one.
>
Although i did saw some decrypt failures, the wrong user (who was not supposed to login,
since radius was rejecting him) did get the access-accept attributes (which belonged to
another user!!!) and so he logged in.
>
>>The result
>>----------
>>A user which is not allowed to login, will be authenticated normally and
>>will get all radius attributes of another user (who is allowed to login)!!!
>
>
> The problem you are seeing may be a result of low memory. Your logs
> show a failure to insert attributes in the RADIUS database, which is
> usually caused by a lack of free memory. Have you looked at "show mem"
> after one of these events to see if the amount of free memory was low?
>
I have never seen it fall under 70/15 MB....so can i suppose we don't have a problem here?
>
>>Can the above result be considered a bug from router's side?
>>Is this the way radius authentication is supposed to work?
>
>
> Because the transaction id number space is so limited (256 as you
> mention), we extended our scalability by the use of multiple source
> ports in later code so that bulk transactions with the RADIUS server
> work better. Depending on what version of code you are running, this
> may be on by default. In most recent code, we try to maintain backward
> compatibility, so you have to configure the command "radius-server
> source-ports extended". We will use source ports in the range from
> 21645 to 21844 in that case.
>
> Dennis
>
>
>>If yes, how can something like this be considered secure?
>
Since i'm already discussing (through my case) it with Irfan and cisco-nas guys are also
part of the escalation team (quite a relief...), i believe it would be better to stop the
mails in this list and continue through my case. Glad to see you Dennis ;-)
>
>>_______________________________________________
>>cisco-nas mailing list
>>cisco-nas at puck.nether.net
>>https://puck.nether.net/mailman/listinfo/cisco-nas
>
>
>
--
***************************************
Chatzithomaoglou Anastasios
Network Design & Development Department
FORTHnet S.A.
<achatz at forthnet.gr>
***************************************
More information about the cisco-bba
mailing list