<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8">
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.0.6249.1">
<TITLE>Re: [cisco-nas] >255 radius requests = bug?</TITLE>
</HEAD>
<BODY dir=ltr>
<P><FONT face="Courier New" size=2>Hi Aaron,</FONT></P>
<P><FONT face="Courier New" size=2>Since i cannot see the bug notes, could you
please paste here its release notes (if any)?</FONT></P>
<P><FONT face="Courier New" size=2>Does it have anything to do with
"radius-server source-ports extended"?</FONT></P>
<P><FONT face="Courier New" size=2></FONT> </P>
<P><FONT face="Courier New" size=2>Also, from RFC 2865:</FONT></P>
<P><FONT face="Courier New" size=2>"A NAS MAY use the same ID across all
servers, or MAY keep track of IDs separately for each server, it is up to the
implementer. If a NAS needs more than 256 IDs for outstanding requests, it
MAY use additional source ports to send requests from, and keep track of IDs
for each source port. This allows up to 16 million or so outstanding requests
at one time to a single server."</FONT></P>
<P><FONT size=2><FONT face="Courier New">I don't want to seem "bad" ( :-D ), but
does this mean that Cisco implemented </FONT><FONT face="Courier New">"MAY use
additional source ports..." just lately?</FONT></FONT></P>
<P><FONT face="Courier New"></FONT> </P>
<P dir=ltr><FONT face="Courier New" size=2>-----Original Message-----
<BR><B>From:</B> Aaron Leonard [mailto:Aaron@Cisco.COM] <BR><B>Sent:</B> Sat
5/29/2004 12:40 AM <BR><B>To:</B> achatz@forthnet.gr <BR><B>Cc:</B>
cisco-bba@puck.nether.net; cisco-nas@puck.nether.net <BR><B>Subject:</B> Re:
[cisco-nas] >255 radius requests = bug?<BR><BR></FONT></P>
<P dir=ltr><FONT face="Courier New" size=2>Hi Tassos,<BR><BR>Sure sounds like
this is a security anomaly.<BR><BR>The good news is that this problem is
addressed in current<BR>IOS (12.2(11)T and above) via CSCdu53246, "RADIUS - ID
wraparounds<BR>should use new source ports".<BR><BR>Aaron<BR><BR><BR>>
-------------<BR>> LNS terminating 500+ adsl users.<BR>> The tunnel goes
down/up, so all users are trying again to authenticate simultaneusly.<BR>>
Radius server isn't able to handle all those requests, so some udp packets are
dropped.<BR>> Router has to retransmit all these requests that aren't
replied.<BR>> Since unique-id is only 8 bits, we can have 255 concurrent
unique access-requests.<BR><BR>> Router sends a access-request using an id
and at the same time the radius is using the same id<BR>> in order to reply
to the router for a previous request (which also had this id).<BR>> So the
router thinks that this reply from the radius is about the last request,<BR>>
but this is actually for the previous request (both had the same
id).<BR><BR>> The result<BR>> ----------<BR>> A user which is not
allowed to login, will be authenticated normally and<BR>> will get all radius
attributes of another user (who is allowed to login)!!!<BR><BR>> Can the
above result be considered a bug from router's side?<BR>> Is this the way
radius authentication is supposed to work?<BR>> If yes, how can something
like this be considered secure?<BR></FONT></P>
</BODY>
</HTML>