RE: Follow up on Authorize Only issue (was RE: [Isms] ISMS session summary)

["Glen Zorn \(gwz\)" <gwz@cisco.com>]

Nelson, David <mailto:dnelson@enterasys.com> supposedly scribbled:

...

> 
> In this particular ISMS use case, SNMP service is authorized based on
> the assertion of identity of the user by the NAS, without the RADIUS
> server ever having performed an authentication, and without the
> benefit of the resultant State attribute.  Thus, the risk is
> potentially higher.   

Actually, the same risk has always been present in RADIUS, because of the way that PPP CHAP (&, for that matter, the MD5-Challenge EAP method) is implemented.  The RADIUS server in the CHAP case generally has no idea whether the user is actually present or not: the NAS presents the server with a self-generated challenge and a response that may or may not be a replay; without saving every challenge-response pair, the server cannot know if the response is fresh or not.
 
> 
> The questions at hand are whether the risk is high enough to be of
> serious concern, and whether or not it can be mitigated? 

The risk I mention above has never seemed to bother anyone, at least not enough to fix it; I don't know why we should be obsessing over it now.

...

Hope this helps,

~gwz

Why is it that most of the world's problems can't be solved by simply
  listening to John Coltrane? -- Henry Gabriel

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>