On Tue, Nov 13, 2001 at 12:16:02PM -0500, alandstriker.ottawa.on.ca wrote:
> Some points in that message were also covered by Joshua, he added a
> number of good points, and missed a few others. Specifically, rfc2869
> defines the Message-Authenticator attribute, which is used to sign
> packets. This signature allows Access-Request packets to be verified,
> negating the security problems of spoofed packets.

Unless the attacker simply removes the Message-Authenticator from
the packets before replaying them...

Leaving out any reference to rfc2869 was an oversight on my part. I
recently updated the online version of my analysis with pertinent
information regarding the Message-Authenticator. Take a look at the
last two paragraphs of section 4.2 at:
 http://www.untruth.org/~josh/security/radius/radius-auth.html

                        Thanks for your comments,
                        Josh

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]