Re: Follow up on Authorize Only issue (was RE: [Isms] ISMS session summary)

["Alan DeKok" <aland@nitros9.org>]

"Glen Zorn \(gwz\)" <gwz@cisco.com> wrote:
> The risk I mention above has never seemed to bother anyone, at least not
> enough to fix it;

  True.  I think the concern here is that the user has not been
authenticated.  In the above scenario, the bad guesses have been
rejected, and no additional information leaks from the RADIUS server
to the NAS.  If the user is authenticated, then information about the
user can, and should be sent from the server to the NAS.

  I could rephrase the original question as: what information can the
RADIUS server send to the NAS about the user, if the user was not
authenticated through RADIUS?

  For privacy and security, I think the answer is "none".  For useful
networks, I think "authorize only" is pretty safe.

  If we look at another threat scenairo: A user is authenticated
through RADIUS, and RADIUS returns authorization parameters in the
Access-Accept.  Since the contents of RADIUS packets aren't encrypted,
anyone who can see that traffic can see all of the users
authorization.  So the information could be construed as public.

  In that case, there's little additional risk in sending that
information, again unencrypted, to a NAS without authenticating the
user.

  If the traffic *is* encrypted, then the previous analysis doesn't
apply...

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>