RADIUS uses a shared secret to communicate between a RADIUS server and a RADIUS device or client. This shared secret is created with a hashing algorithm called MD5. The shared secret is calculated from the code, ID, length, request authenticator, and attributes for the response authenticator. All of these values are inserted into an MD5 hash, producing an encrypted string. Because an MD5 hash is a one-way hash, one cannot break it, although it is possible to take a brute-force tool and run every combination of passwords through an MD5 hash and compare them to the original hash. If they match, then the password guessed was the correct one. This holds true on a RADIUS frame because all the values listed above can be captured with a wireless sniffer with the exception of the password, which is inside the hash.
If an attacker can capture the authentication process, he can take the frames offline and perform a brute-force attack on them. This frame, by default, is not authenticated by the RADIUS server. This means anyone can start the RADIUS authentication process and capture the hashed shared secret. One note is to have a correct IP address defined in the RADIUS server; this is a trivial spoofing activity that even a meager attacker can accomplish. The industry has released RFC 2869 to help with this vulnerability. This RFC allows one to set the Message-Authenticator attribute. With the actions of this RFC implemented, the Access-Request packets are only accepted from a valid predefined RADIUS client. This prevents the RADIUS server from responding and giving away its shared secret to anyone who asks for it. Also, once the shared secret is known for a RADIUS conversation, a similar MD5 function can be accomplished on the user’s password.
Another vulnerability of RADIUS has to do with its usage as an authentication server for other media types. Most commonly, RADIUS is used for some type of remote access. In the scenario where RADIUS is used for remote access, some administrators have used the same shared secret for both purposes. If the remote access protocol has vulnerabilities associated to it and an attacker is able to compromise the shared secret, then he can use that to connect a rogue access point to the network and capture a user’s authentication attempts.
Another RADIUS issue that affects security is the security of the RADIUS server itself. Often, the RADIUS server is set up and maintained by network engineers and not server administrators. Network engineers frequently do not have the skill set needed to secure a RADIUS server. This often happens in big companies where the network engineers and server administrators do not interact with each other on a daily basis. This frequently leaves the security server vulnerable to a number of server exploits.
