[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Request for Review: "Issues and Fixes" changes

To: aland@deployingradius.com
Subject: Re: Request for Review: "Issues and Fixes" changes
From: "Bernard Aboba" <bernard_aboba@hotmail.com>
Date: Tue, 21 Aug 2007 23:54:14 -0700
Bcc:
Cc: dnelson@elbrysnetworks.com, radiusext@ops.ietf.org
In-reply-to: <46CBD84B.4000709@deployingradius.com>

  Some of which can be dealt with by mandating Message-Authenticator.
Once the NAS is authenticated, there are fewer security issues with
allowing it to perform authorization checks.

There are two somewhat distinct issues. One is the authenticity of theAccess-Request; that is addressed by adding Message-Authenticator. Theother is whether the NAS is authorized to obtain the user's authorizations.That requires the NAS to demonstrate that it is acting on behalf of a liveuser via the inclusion of either an authentication attribute or State.

RFC 3576 is silent on this issue, because it defines Authorize Only in
the context of CoA / Disconnect messages, and not for Access-Requests.


Right.

  Maybe something like this:

...
Any Access-Request packet that performs authorization checks,
including Call Check, MUST contain a Message-Authenticator attribute.

I'm not sure what it means to say "performs authorization checks". Do youmean that the Access-Request doesn't contain an authentication attribute(and therefore that State is required)? While we do require "AuthorizeOnly" Access-Requests to include a Message-Authenticator attribute, I'm notsure this is the only case.

Any response to an Access-Request performing an authorization check
MUST NOT contain confidential information about any user (such as
Tunnel-Password), unless that Access-Request contains a State
attribute.

I don't know that the RADIUS server can necessarily determine whatattributes constitute "confidential information". So I think we need totry to simplify things somewhat. Was there an issue with the RFC 2865prescription (either include an authentication attribute or State)?

  The Call-Check situation is one where the authentication is being done
on the call, via the Called / Calling Station Id.  So in this situation,
the Called / Calling Station id attributes are the authentication
attributes.

That seems like a reasonable explanation of the RFC 2865 MUST. I'd suggestthat we include this explanation in the text to clarify the meaning of"authentication attribute" in RFC 2865.

  However, most systems implementing this kind of check (e.g. MAC
address checking) do so by setting the User-Name and User-Password to
the MAC address.  This is done because it's easier to just add a MAC
address as a user/password, rather than implementing a Call-Check
policy.  This practice should be discouraged, because it results in
giving an attacker both the clear-text and cipher-text for User-Password.

Which in turn can lead to compromise of the User-Password attribute if theRequest Authenticator is every repeated with the same shared secret (e.g.global and temporal uniqueness required as per RFC 2865). This also wouldbe something worth including in the text.

  The server doesn't need to use State for EAP.  It doesn't need to use
State for *some* challenge-response systems using User-Password.  It
doesn't need to use State for Call-Check... which doesn't leave many
areas where it is needed.

Yup. RFC 2865 only REQUIRES State where "authentication attributes" are notpresent at all. So if we can clarify what "authentication attributes" mean,then we'll know when State is required.

  The most common use of State seems to be in *addition* to the
authentication attributes.  e.g. EAP, or challenge-response methods that
leverage User-Password.


Yes.

  A less common use of State is for authorization checks, in order to
tie the authorization checks to a previous authentication session.  (And
how does the server know that the NAS will need State for use in a later
authorization check?  Should the server ALWAYS send State back?)

In a CoA-Request with "Authorize Only" the DAC expects that anAccess-Request will result. Now this presumes that the DAC can obtain aState Attribute that the RADIUS server will understand. Otherwise, theRADIUS server won't be able to make sense of the State Attribute provided bythe DAC.

As for other cases, I think it may depend on the attributes included in theAccess-Accept. However, in the interest of simplicity, it is probably notreasonable for the RADIUS server to keep track of all the situations inwhich a State attribute might be needed.

  I can't recommend when State MUST be used elsewhere, because I can't
think of other situations where it's needed.  The text already makes it
a MUST for Authorization-Only, and MUST for other authorization checks.

Can we define what "authorization checks" means? Is this just Service-Type =Call Check or Authorize-Only?




--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- Re: Request for Review: "Issues and Fixes" changes
  - From: Alan DeKok <aland@deployingradius.com>

References:
- Re: Request for Review: "Issues and Fixes" changes
  - From: Alan DeKok <aland@deployingradius.com>

Prev by Date: Re: Request for Review: "Issues and Fixes" changes
Next by Date: Re: Request for Review: "Issues and Fixes" changes
Previous by thread: Re: Request for Review: "Issues and Fixes" changes
Next by thread: Re: Request for Review: "Issues and Fixes" changes
Index(es):
- Date
- Thread