RADIUS

5,115 views

Published on

RADIUS Protocol used for providing AAA functionality

RADIUS

  1. 1. RADIUS (REMOTE AUTHENTICATION DIAL-IN USER SERVICE) PRESENTED BY: AMOGH UBALE CMPE-208 NETWORK ARCHITECTURE AND PROTOCOLS
  2. 2. OUTLINE <ul><li>Introduction to RADIUS </li></ul><ul><li>AAA </li></ul><ul><li>Radius Packet Format </li></ul><ul><li>Properties of Radius </li></ul><ul><li>Radius Security </li></ul><ul><li>Experimentation </li></ul><ul><li>Conclusion </li></ul>
  3. 3. RADIUS <ul><li>REMOTE AUTHENTICATION DIAL-IN USER SERVICE </li></ul><ul><li>Developed for authentication and accounting by Livingston Enterprises in 1991 </li></ul><ul><li>Bought by IETF </li></ul><ul><li>RFC 2865 (RADIUS) </li></ul><ul><li>RFC 2866 (RADIUS Accounting) </li></ul>
  4. 4. WHY RADIUS ? <ul><li>Thousands of servers located which provide different services. </li></ul><ul><li>Different users access services provided by server. </li></ul><ul><li>Authentication required. </li></ul><ul><li>Authorization & Accounting also required </li></ul><ul><li>RADIUS provides AAA functionality </li></ul>
  5. 5. AAA <ul><li>AAA stands for authentication, authorization and accounting. </li></ul><ul><li>Authentication : verify user </li></ul><ul><li>Authorization : services provided to the specific user </li></ul><ul><li>Accounting : billing for service used by the user </li></ul>
  6. 6. FEATURES OF RADIUS <ul><li>Client/Server Model </li></ul><ul><li>Network Security </li></ul><ul><li>Flexible Authentication Mechanism </li></ul><ul><li>Extensible Protocol </li></ul>
  7. 7. PACKET FORMAT OF RADIUS <ul><li>CODE : identifies the type of packet. </li></ul><ul><li>Ex : 1 Access-Request , 2 Access-Accept </li></ul><ul><li>ID : used for matching the response with the request </li></ul><ul><li>LENGTH : identifies the length of packet including attributes </li></ul><ul><li>AUTHENTICATOR : random value is generated in case of request and response both </li></ul><ul><li>ATTRIBUTES : variable length and contains specific information regarding packet </li></ul>1 byte CODE 1 byte ID 2 bytes LENGTH 16 bytes AUTHENTICATOR VARIABLE LENGTH ATTRIBUTES
  8. 8. GENERAL FLOWGRAPH FOR RADIUS
  9. 9. RADIUS DETAILS <ul><li>RADIUS uses UDP and not TCP </li></ul><ul><li>Following are some reasons : </li></ul><ul><li>User cannot wait for several minutes, so retransmission algorithm of TCP and ACK not required. </li></ul><ul><li>No special handling for offline clients and servers </li></ul><ul><li>Stateless Protocol </li></ul><ul><li>Easy to implement multi-threaded server and provide service to multiple client requests. </li></ul>
  10. 10. RADIUS AND SECURITY <ul><li>Security is rather primitive </li></ul><ul><li>Two main function are provided </li></ul><ul><li>Attribute (mainly password ) hiding </li></ul><ul><li>Authentication of messages </li></ul><ul><li>Both of this function are performed by hash function MD5 and the shared secret </li></ul>
  11. 11. RADIUS MESSAGE INTEGRITY PROTECTION <ul><li>Access request message </li></ul><ul><li>Request Authenticator </li></ul><ul><li>It is a 16 byte random number that is generated by the client and added to the request authenticator field </li></ul><ul><li>It should have global uniqueness </li></ul><ul><li>Weak security provision </li></ul><ul><li>Addition of message authentication </li></ul>
  12. 12. MESSAGE AUTHENTICATION FIELD <ul><li>For protection of the access request message the client calculate MD5 over the entire message using the shared secret </li></ul><ul><li>For access request </li></ul><ul><li>Message authenticator value =MD5(code ,length,id,request authentiactor,attributes, shared secret) </li></ul><ul><li>For accounting request </li></ul><ul><li>Message authenticator value =MD5(code, length, id, request, authenticator, </li></ul><ul><li>attributes, shared secret ) </li></ul>
  13. 13. RESPONSE AUTHENTICATOR <ul><li>From server to client(access reply message) </li></ul><ul><li>Value of the response authenticator is calculated using hash MD5 </li></ul><ul><li>Authenticator value=MD5(code, length, id, request authenticator, </li></ul><ul><li>attributes, shared secret ) </li></ul>
  14. 14. ATTRIBUTE HIDING <ul><li>User password hiding </li></ul><ul><li>User password is less or equal than 16 octet long </li></ul><ul><li>Client (NAS) generates a requests authenticator and concatenate it with the shared secret that the NAS shares with the radius server </li></ul><ul><li>NAS then calculate MD5 of the concatenated and XOR the result with the user password </li></ul><ul><li>B=MD5(request authenticator ,shared secret ) </li></ul><ul><li>C=B XOR User Password </li></ul><ul><li>C is filled in the user password attribute that is carried </li></ul><ul><li>by the access request message </li></ul>
  15. 15. Client /server implementation <ul><li>Radius server :Win Radius </li></ul><ul><li>Client :Win Radius Test </li></ul><ul><li>Data base :Microsoft Access </li></ul>Win radius test Win radius Data base Access request Access reply Account request Account reply CLIENT SERVER
  16. 16. Wireshark trace of access request
  17. 17. Wireshark trace for access reply
  18. 18. Wireshark trace of accounting request
  19. 19. Wireshark trace for accounting reply
  20. 20. Wireshark trace for accounting stop request
  21. 21. VULNERABLITY OF RADIUS <ul><li>Static manually configured shared secret </li></ul><ul><li>MD5 hashing method has known vulnerabilities </li></ul><ul><li>In proxy changing there is chain of trust </li></ul><ul><li>Transport layer protection does not exit </li></ul><ul><li>Use of poor random generator for generation of request authenticator </li></ul>
  22. 22. CONCLUSION <ul><li>Radius is commonly used in embedded system (routers, switches, etc),which cannot handle large number of user with distinct authentication information </li></ul><ul><li>RADIUS facilitates centralized user administration </li></ul><ul><li>RADIUS provide certain level of protection against sniffing active attack </li></ul><ul><li>Widely implemented by hardware vendor </li></ul><ul><li>Diameter is an improvement over radius </li></ul>
  23. 23. REFERENCES <ul><li>1] http://www.faqs.org/rfcs/rfc2865.html </li></ul><ul><li>2] BOOK: AAA network security and mobile access radius, diameter, EAP and IP mobility by Madjid Nakhjri and Mahsa Nakhjri </li></ul><ul><li>3] BOOK:RADIUS by Johanathan Hassell </li></ul><ul><li>4] http://en.wikipedia.org/wiki/RADIUS </li></ul><ul><li>5] http://www.itconsult2000.com/en/product/WinRadius.html </li></ul>
  24. 24. THANK YOU <ul><li>QUESTIONS ? ? </li></ul>

×