[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Follow up on Authorize Only issue (was RE: [Isms] ISMS session summary)
- To: "Nelson, David" <dnelson@enterasys.com>
- Subject: RE: Follow up on Authorize Only issue (was RE: [Isms] ISMS session summary)
- From: "Glen Zorn \(gwz\)" <gwz@cisco.com>
- Date: Tue, 18 Jul 2006 15:34:40 -0700
- Authentication-results: sj-dkim-2.cisco.com; header.From=gwz@cisco.com; dkim=pass ( sig from cisco.com verified; );
- Cc: <isms@ietf.org>, <radiusext@ops.ietf.org>
- Dkim-signature: a=rsa-sha1; q=dns; l=1330; t=1153262082; x=1154126082; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=gwz@cisco.com; z=From:=22Glen=20Zorn=20\(gwz\)=22=20<gwz@cisco.com> |Subject:RE=3A=20Follow=20up=20on=20Authorize=20Only=20issue=20(was=20RE=3A=20[Is ms]=20ISMS=20session=20summary); X=v=3Dcisco.com=3B=20h=3DCjpP+uhlnMxVEplGPhlYMpJKjW8=3D; b=VUEEyTK54yHOA3X3eZkd/nUSi7Wibrb9x3cJBxmtCouO9wwUwpoCuCi5JXtyfa69EA52H5pb cp3tDr4C2W2k7E7YHUdSBwIv0Lx8y3T4lfy7KK5OSu19Vvdp2q5J7sbu;
Nelson, David <mailto:dnelson@enterasys.com> supposedly scribbled:
...
>
> In this particular ISMS use case, SNMP service is authorized based on
> the assertion of identity of the user by the NAS, without the RADIUS
> server ever having performed an authentication, and without the
> benefit of the resultant State attribute. Thus, the risk is
> potentially higher.
Actually, the same risk has always been present in RADIUS, because of the way that PPP CHAP (&, for that matter, the MD5-Challenge EAP method) is implemented. The RADIUS server in the CHAP case generally has no idea whether the user is actually present or not: the NAS presents the server with a self-generated challenge and a response that may or may not be a replay; without saving every challenge-response pair, the server cannot know if the response is fresh or not.
>
> The questions at hand are whether the risk is high enough to be of
> serious concern, and whether or not it can be mitigated?
The risk I mention above has never seemed to bother anyone, at least not enough to fix it; I don't know why we should be obsessing over it now.
...
Hope this helps,
~gwz
Why is it that most of the world's problems can't be solved by simply
listening to John Coltrane? -- Henry Gabriel
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>