The Access-Request Packet
There is no verification or authentication of the RADIUS
Access-Request
packet, as per the RFC specification, by default. The RADIUS server
will perform a check to ensure that the message originated from an IP
address listed as one of its clients, but in this day and age,
spoofed IP addresses are easy to find and use. This is a serious
limitation of the RADIUS protocol design.
As of now, the only workable solution is to require the presence of
the Message-Authenticator
attribute in all
Access-Request
messages. Briefly, the
Message-Authenticator
is the MD5 hash of the
entire Access-Request
message, using the
client’s shared secret as the key. When a RADIUS
server is configured to only accept Access-Request
messages with a valid Message-Authenticator
attribute present, it must silently discard those packets with
invalid or missing attributes. More information on the
Message-Authenticator
attribute can be found in
Chapter 9 or in the RFC 2869.
If your implementation somehow prevents the use of the
Message-Authenticator
attribute, at least consider
using some sort of account-lockout feature, which disables
authentications after a specified number of authentication attempts
within a specified time.
Get RADIUS now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.