On Fri, Nov 21, 2003, Alan DeKok wrote: >Oliver Graf <[EMAIL PROTECTED]> wrote: >> > With that said, 0.9.3 has been released. It's in the normal places: >> >> I submitted a security report and a new package ebuild to the gentoo >> ( http://gentoo.org/ ) community. > > Thanks. This just re-iterates my beleif that RADIUS servers should >on private networks, far away from any possible source of malicious >packets.
Either that, or packet filters that restrict the hosts that can access the radius servers.
Wouldn't work in this case, since packets are UDP a packet with spoofed source of a valid client will pass the filter. :\ All you'd need to DOS a radius server is a valid client IP. The RADIUS protocol makes it very hard to enforce additional restrictions, as the packet format is all in cleartext ( excepting certain Password attributes ) with no validation or signing.
The Message-Authenticator value would serve this purpose, however it is not required, and as such doesn't help in this case, either, and won't until or unless it is made mandatory. That would then break old clients/servers that don't support Message-Authenticator.
http://www.freeradius.org/rfc/rfc2869.html#Message-Authenticator
The light at the end of the tunnel is that is *was* made mandatory for any packet with EAP-Message attributes.
-Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless! \ Director, Engineering | @ @ | \ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\------------------------------------------------------ \ Wholesale Internet Services - http://www.megapop.net
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
