[cisco-nas] >255 radius requests = bug?

[Aaron Leonard]

Hi Tassos,

Sure sounds like this is a security anomaly.

The good news is that this problem is addressed in current 
IOS (12.2(11)T and above) via CSCdu53246, "RADIUS - ID wraparounds 
should use new source ports".

Aaron


> -------------
> LNS terminating 500+ adsl users.
> The tunnel goes down/up, so all users are trying again to authenticate simultaneusly.
> Radius server isn't able to handle all those requests, so some udp packets are dropped.
> Router has to retransmit all these requests that aren't replied.
> Since unique-id is only 8 bits, we can have 255 concurrent unique access-requests.
 
> Router sends a access-request using an id and at the same time the radius is using the same id
> in order to reply to the router for a previous request (which also had this id).
> So the router thinks that this reply from the radius is about the last request,
> but this is actually for the previous request (both had the same  id).
 
> The result
> ----------
> A user which is not allowed to login, will be authenticated normally and
> will get all radius attributes of another user (who is allowed to login)!!!
 
> Can the above result be considered a bug from router's side?
> Is this the way radius authentication is supposed to work?
> If yes, how can something like this be considered secure?