[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Follow up on Authorize Only issue (was RE: [Isms] ISMS session summary)
- To: <firstname.lastname@example.org>
- Subject: RE: Follow up on Authorize Only issue (was RE: [Isms] ISMS session summary)
- From: "Glen Zorn \(gwz\)" <email@example.com>
- Date: Tue, 18 Jul 2006 16:54:42 -0700
- Authentication-results: sj-dkim-2.cisco.com; header.Fromfirstname.lastname@example.org; dkim=pass ( sig from cisco.com verified; );
- Cc: <email@example.com>, <firstname.lastname@example.org>
- Dkim-signature: a=rsa-sha1; q=dns; l=2005; t=1153266883; x=1154130883; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; email@example.com; z=From:=22Glen=20Zorn=20\(gwz\)=22=20<firstname.lastname@example.org> |Subject:RE=3A=20Follow=20up=20on=20Authorize=20Only=20issue=20(was=20RE=3A=20[Is ms]=20ISMS=20session=20summary)=20; X=v=3Dcisco.com=3B=20h=3DCjpP+uhlnMxVEplGPhlYMpJKjW8=3D; b=jqI+104b1X1c3GUrrdZT5YXzCJJewPX/rE+CmUq6AHlVruZzXqh+nDdGO8xtag2sZvtnVVj/ p/diFYciulz8+wu5oNjcoks8DJGR/+9OvAwmiYxFBbcXK8/qeWQvyui5;
email@example.com <mailto:firstname.lastname@example.org> supposedly scribbled:
> "Glen Zorn \(gwz\)" <email@example.com> wrote:
>> The risk I mention above has never seemed to bother anyone, at least
>> not enough to fix it;
> True. I think the concern here is that the user has not been
> authenticated. In the above scenario, the bad guesses
OK, yeah, but I didn't say anything about guesses: in that scenario, the compromised NAS has saved valid credentials from previous authentications & used them for nefarious purposes.
> have been
> rejected, and no additional information leaks from the RADIUS server
> to the NAS. If the user is authenticated, then information about the
> user can, and should be sent from the server to the NAS.
> I could rephrase the original question as: what information can the
> RADIUS server send to the NAS about the user, if the user was not
> authenticated through RADIUS?
> For privacy and security, I think the answer is "none". For useful
> networks, I think "authorize only" is pretty safe.
> If we look at another threat scenairo: A user is authenticated
> through RADIUS, and RADIUS returns authorization parameters in the
> Access-Accept. Since the contents of RADIUS packets aren't
> encrypted, anyone who can see that traffic can see all of the users
> authorization. So the information could be construed as public.
> In that case, there's little additional risk in sending that
> information, again unencrypted, to a NAS without authenticating the
> If the traffic *is* encrypted, then the previous analysis doesn't
I hope that the issue is not divulging the contents of RADIUS attributes but something a bit more serious, like authorizing an imposter.
> Alan DeKok.
Hope this helps,
Why is it that most of the world's problems can't be solved by simply
listening to John Coltrane? -- Henry Gabriel
to unsubscribe send a message to firstname.lastname@example.org with
the word 'unsubscribe' in a single line as the message text body.