On Tue, Nov 13, 2001 at 12:16:02PM -0500, aland@striker.ottawa.on.ca wrote: > Some points in that message were also covered by Joshua, he added a > number of good points, and missed a few others. Specifically, rfc2869 > defines the Message-Authenticator attribute, which is used to sign > packets. This signature allows Access-Request packets to be verified, > negating the security problems of spoofed packets. Unless the attacker simply removes the Message-Authenticator from the packets before replaying them... Leaving out any reference to rfc2869 was an oversight on my part. I recently updated the online version of my analysis with pertinent information regarding the Message-Authenticator. Take a look at the last two paragraphs of section 4.2 at: http://www.untruth.org/~josh/security/radius/radius-auth.html Thanks for your comments, Josh
