[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Follow up on Authorize Only issue (was RE: [Isms] ISMS session summary)

To: <aland@nitros9.org>
Subject: RE: Follow up on Authorize Only issue (was RE: [Isms] ISMS session summary)
From: "Glen Zorn \(gwz\)" <gwz@cisco.com>
Date: Tue, 18 Jul 2006 16:54:42 -0700
Authentication-results: sj-dkim-2.cisco.com; header.From=gwz@cisco.com; dkim=pass ( sig from cisco.com verified; );
Cc: <isms@ietf.org>, <radiusext@ops.ietf.org>
Dkim-signature: a=rsa-sha1; q=dns; l=2005; t=1153266883; x=1154130883; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=gwz@cisco.com; z=From:=22Glen=20Zorn=20\(gwz\)=22=20<gwz@cisco.com> |Subject:RE=3A=20Follow=20up=20on=20Authorize=20Only=20issue=20(was=20RE=3A=20[Is ms]=20ISMS=20session=20summary)=20; X=v=3Dcisco.com=3B=20h=3DCjpP+uhlnMxVEplGPhlYMpJKjW8=3D; b=jqI+104b1X1c3GUrrdZT5YXzCJJewPX/rE+CmUq6AHlVruZzXqh+nDdGO8xtag2sZvtnVVj/ p/diFYciulz8+wu5oNjcoks8DJGR/+9OvAwmiYxFBbcXK8/qeWQvyui5;

aland@nitros9.org <mailto:aland@nitros9.org> supposedly scribbled:

> "Glen Zorn \(gwz\)" <gwz@cisco.com> wrote:
>> The risk I mention above has never seemed to bother anyone, at least
>> not enough to fix it;
> 
>   True.  I think the concern here is that the user has not been
> authenticated.  In the above scenario, the bad guesses 

OK, yeah, but I didn't say anything about guesses: in that scenario, the compromised NAS has saved valid credentials from previous authentications & used them for nefarious purposes.

> have been
> rejected, and no additional information leaks from the RADIUS server
> to the NAS.  If the user is authenticated, then information about the
> user can, and should be sent from the server to the NAS.    
> 
>   I could rephrase the original question as: what information can the
> RADIUS server send to the NAS about the user, if the user was not
> authenticated through RADIUS?  
> 
>   For privacy and security, I think the answer is "none".  For useful
> networks, I think "authorize only" is pretty safe. 
> 
>   If we look at another threat scenairo: A user is authenticated
> through RADIUS, and RADIUS returns authorization parameters in the
> Access-Accept.  Since the contents of RADIUS packets aren't
> encrypted, anyone who can see that traffic can see all of the users
> authorization.  So the information could be construed as public.    
> 
>   In that case, there's little additional risk in sending that
> information, again unencrypted, to a NAS without authenticating the
> user.  
> 
>   If the traffic *is* encrypted, then the previous analysis doesn't
> apply... 

I hope that the issue is not divulging the contents of RADIUS attributes but something a bit more serious, like authorizing an imposter.

> 
>   Alan DeKok.

Hope this helps,

~gwz

Why is it that most of the world's problems can't be solved by simply
  listening to John Coltrane? -- Henry Gabriel

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- Re: Follow up on Authorize Only issue (was RE: [Isms] ISMS session summary)
  - From: "Alan DeKok" <aland@nitros9.org>

Prev by Date: Re: Follow up on Authorize Only issue (was RE: [Isms] ISMS session summary)
Next by Date: Re: Follow up on Authorize Only issue (was RE: [Isms] ISMS session summary)
Previous by thread: Re: Follow up on Authorize Only issue (was RE: [Isms] ISMS session summary)
Next by thread: Re: Follow up on Authorize Only issue (was RE: [Isms] ISMS session summary)
Index(es):
- Date
- Thread