On Fri, Nov 21, 2003, Chris Parker wrote: >At 11:18 AM 11/21/2003, Bill Campbell wrote: >>On Fri, Nov 21, 2003, Alan DeKok wrote: >>>Oliver Graf <[EMAIL PROTECTED]> wrote: >>>> > With that said, 0.9.3 has been released. It's in the normal places: >>>> >>>> I submitted a security report and a new package ebuild to the gentoo >>>> ( http://gentoo.org/ ) community. >>> >>> Thanks. This just re-iterates my beleif that RADIUS servers should >>>on private networks, far away from any possible source of malicious >>>packets. >> >>Either that, or packet filters that restrict the hosts that can >>access the radius servers. > >Wouldn't work in this case, since packets are UDP a packet with spoofed >source of a valid client will pass the filter. :\ All you'd need to >DOS a radius server is a valid client IP. The RADIUS protocol makes >it very hard to enforce additional restrictions, as the packet format >is all in cleartext ( excepting certain Password attributes ) with >no validation or signing.
It's kinda hard to have the radius server on a private network if it's doing authentication for wholesale dialup connections :-). >The Message-Authenticator value would serve this purpose, however >it is not required, and as such doesn't help in this case, either, >and won't until or unless it is made mandatory. That would then >break old clients/servers that don't support Message-Authenticator. > >http://www.freeradius.org/rfc/rfc2869.html#Message-Authenticator Or they're running Nortel (Bay) Annex boxes which use broken MD5 hashes, and Nortel makes it difficult to get updated software. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ ``No matter how much I may exaggerate it, it must have a certain amount of truth...Now rumor travels fast but it don't stay put as long as truth'' Will Rogers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html