Re: Radius & Logoff (fwd)

Victor Muslin (vmuslin@prodigy.com)
Thu, 6 Jun 1996 00:51:52 -0400 (EDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Jon Lewis: "Re: Radius & Logoff (fwd)"
Previous message: ywliu: "Re: Radius & Logoff (fwd)"
In reply to: Mury Johnson: "Re: Radius & Logoff (fwd)"

RADIUS protocol provides for accounting messages to be "signed"
through the use of a secret shared between the NAS and the RADIUS
server, as far as I can recall, so that they are difficult to
fake. Otherwise, anyone can take one of the RADIUS test programs
distributed with Merit or available from many other sources and in
an hour of work defeat the billing mechanism.

On Thu, 6 Jun 1996, ywliu wrote:

> >
> > Once upon a time ywliu shaped the electrons to say...
> > >While I was hacking the RADIUS daemons (1.16 or Merit 2.23) to meet our
> > >customized needs, I found that , unlike TACACS or ERPCD, RADIUS doesn't seem
> > >to support user logout authentication, i.e. when a user logs out from the
> >
> > Why in the blue blazes would you want ot authenticate on logout?
> >
> > "Hey, is that you Bob? It'd better be your or I'm not going to let you
> > logout!"
> >
>
> Of course we cannot prevent a user from logging out. But I think about a
> possibile situation that : I connect to the server and then fake a logout
> message to the RADIUS server. Then what happens ? I can still be on-line
> and the the program handling user billing, using the accounting logs generated
> by RADIUS , thinks I am off-line. So, chances are the users can get cheaper
> service. Also, I think that's why TACACS and ERPC treat logout as antoher
> auth request.
>
> Am I worried too much ?
>
> Yen-Wei Liu
>
>

Next message: Jon Lewis: "Re: Radius & Logoff (fwd)"
Previous message: ywliu: "Re: Radius & Logoff (fwd)"
In reply to: Mury Johnson: "Re: Radius & Logoff (fwd)"