(RADIATOR) Rouge Radius Requests
Dumpolid Exeplish
dumpexec at gmail.com
Mon Sep 25 06:57:13 CDT 2006
Hi everyone,
we currently have 2 Radius servers and a 2 level clent authentication
system with an SQL backend. The first Radius system (called the Access
Radius) is used to authenticate users at the Radio access level. the Second
Radius server is used to authenticate users at the ISP level. Recently, i
have been noticing Rouge Radius requests at the ISP Radius authentication.
This could be a form of attack. Has anyone noticed this sort of problemp.
here is the post from the log files
Mon Sep 25 05:26:14 2006: DEBUG: Packet dump:
*** Received from 10.18.24.80 port 1645 ....
Code: Access-Request
Identifier: 204
Authentic:
<207><248>z<253><236><254><190>+<230><244><135><200><167><183><0>H
Attributes:
Framed-Protocol = PPP
User-Name = "aolnet/aol.dsl.newuser.10630001000300010001US2241.0000.prod"
<== the is the rougue username
CHAP-Password =
<1>C<189>c<1xxx>y<xxx><219><155><152><xxx><244>1<135>|<220><2xxx>
NAS-Port-Type = Virtual
NAS-Port = 42
Calling-Station-Id = xxxxx at los.isp.com
<xxxxx at los.isp.com><xxxxx at los.isp.com><== this is a valid username
Called-Station-Id = "isp.com"
Service-Type = Framed-User
NAS-IP-Address = 10.18.24.80
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20060925/6287a596/attachment.html>
More information about the radiator
mailing list