RADIUS packet is below (from the RFC):
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Authenticator |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attributes ...
+-+-+-+-+-+-+-+-+-+-+-+-+-
The code establishes the type of RADIUS packet. The codes are:
Value
Description
1
Access-Request
2
Access-Accept
3
Access-Reject
4
Accounting-Request
5
Accounting-Response
11
Access-Challenge
12
Status-Server (experimental)
13
Status-Client (experimental)
255
Reserved
The identifier is a one octet value that allows the RADIUS client to match a RADIUS response with the correct outstanding request. it is usually implemented as a simple counter that is incremented for each request.
The attributes section is where an arbitrary number of attribute fields are stored. The only pertinent attributes for this discussion are the User-Name and User-Password attributes.
Initial client processing
The client creates an Access-Request RADIUS packet, including at least the User-Name and User-Password attributes.
The Access-Request packet's identifier field is generated by the client.
The Access-Request packet contains a 16 octet Request Authenticator in the authenticator field. This Request authenticator is a randomly chosen 16 octet string.
This packet is completely unprotected, except for the User-Password attribute, which is protected as follows:
c1 = p1 XOR MD5(S + RA)
c2 = p2 XOR MD5(S + c1)
.
.
.
cn = pn XOR MD5(S + cn-1)
The User-Password attribute contains c1+c2+...+cn, Where + denotes concatenation.
Here S is shared secret in server or client, RA is psuedo-random 128bit request authenticator, p1,p2 and so on is 16 octet block by breaking the password
Server processing
Extract the username and password using the same shared secret
Validate the account
Compute response authenticator which is MD5(code+ID+Length+RequestAuth+Attribute+secret), and send back the response packet to client
The server receives the RADIUS Access-Request packet and verifies the packet with shared secret first, it can go through a slightly modified version of the client's protection process on the User-Password attribute and obtain the unprotected password. It then uses its authentication database to validate the username and password. If the password is valid, the server creates an Access-Accept packet to send back to the client, otherwise, send back with Access-Reject packet. Both the Access-Accept packet and the Access-Reject packet use the same identifier value from the client's Access-Request packet, and put a Response Authenticator in the Authenticator field. The response authenticator = MD5(Code+ID+Length+RequestAuth+Attributes+Secret)
Client post processing
Match ID
Compute the Response Authenticator as the server performed
Check the code field for the result
When the client receives a response packet, it attempts to match it with an outstanding request using the identifier field, then verifies the Response Authenticator by performing the same Response Authenticator calculation the server performed, and then comparing the result with the Authenticator field.
If the client received a verified Access-Accept packet, the username and password are considered to be correct, and the user is authenticated.
No comments:
Post a Comment