Re: Serious bug in "radius" dialup authentication software

James Sneeringer (jvs@OCSLINK.COM)
Mon, 23 Feb 1998 00:23:17 -0600

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Phillip R. Jaenke: "Re: RADIUS (Summary)"
Previous message: Mauro Lacy: "Re: Simple way to bypass squid ACLs"
Maybe in reply to: Phillip R. Jaenke: "Serious bug in "radius" dialup authentication software"
Next in thread: Dale E. Reed Jr.: "Re: Serious bug in "radius" dialup authentication software"

On Sun, 22 Feb 1998, Marco S Hyman wrote:
| Look at radius.h in the original Livingston code. You'll see:
| #define AUTH_STRING_LEN 128 /* maximum of 254 */

Based on some limited tested I did, PortMasters (ComOS 3.7.2) never send a
username longer than 63 characters. Incidentally, this is the lowest
maximum length recommended by RFC 2058 (section 5.1).

I think it likely that some NAS vendor out there has (or had) a seriously
broken RADIUS implementation, such that it ends up passing some pretty
funky data to radiusd.

It would help if the original poster could also specify the make and model
of the NAS tested on, and what OS version is was running.

-James

Next message: Phillip R. Jaenke: "Re: RADIUS (Summary)"
Previous message: Mauro Lacy: "Re: Simple way to bypass squid ACLs"
Maybe in reply to: Phillip R. Jaenke: "Serious bug in "radius" dialup authentication software"
Next in thread: Dale E. Reed Jr.: "Re: Serious bug in "radius" dialup authentication software"