Potential Security hole with RADIUS 2.x

MegaZone (megazone@livingston.com)
Tue, 22 Jul 1997 15:38:34 -0700 (PDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: MegaZone: "CISCO which is an OR (fwd)"
Previous message: Ward Goodwin Jr.: "Re: How To Subnet Using VLSM"

It is more a Stupid User Trick, but it can happen and I wanted to make you
aware of it.

DEFAULT Auth-Type=Local
etc

What will this do? Well, any username will match it, and it will tell RADIUS
to use the local password. BUT THERE IS NO LOCAL PASSWORD!

So if you don't use a password, you get in - any user name.

If you use Auth-Type = Local ALWAYS use Password = "xxx"

We plan on fixing this in the next release, so that Auth-Type = Local
with no Password is a failure. But for now just make sure you don't do this.

-MZ

--
Livingston Enterprises - Chair, Department of Interstitial Affairs
Phone: 800-458-9966 510-737-2100 FAX: 510-737-2110 megazone@livingston.com
For support requests: support@livingston.com  <http://www.livingston.com/> 
Snail mail: 4464 Willow Road, Pleasanton, CA 94588

Next message: MegaZone: "CISCO which is an OR (fwd)"
Previous message: Ward Goodwin Jr.: "Re: How To Subnet Using VLSM"