Authenticator, Password encryption, Radius proxy – Allied Telesis AlliedWare Plus Operating System Version 5.4.4C (x310-26FT,x310-26FP,x310-50FT,x310-50FP) User Manual

RADIUS Introduction and Configuration

Software Reference for x310 Series Switches

46.6

AlliedWare Plus

TM

Operating System - Version 5.4.4C

C613-50046-01 REV A

Authenticator

The authenticator is a random 16-byte value generated by the NAS. The NAS creates a new
authenticator value for each Access-Request that it sends.

The response packets that come back from the server contain a value called the Response
Authenticator. This is a value that is created by performing an MD5 hash on a string that is
created by concatenating the packet type identifier, Session ID, Authenticator sent in the
request packet, Attribute fields in the packet, Shared secret that the server shares with the
NAS to which it is responding.

When the NAS receives the response packet, it performs the same hash on the same
values, and verifies that it comes up with the same result. If not, then it must assume that
the response packet has been spoofed, and silently discards it.

Password Encryption

The value placed in the user-password TLV of an Access-Request packet is not simply
an exact copy of the password sent from the requestor to the NAS.

The NAS concatenates together the shared secret and the authenticator that it has
randomly generated for this request and then performs manipulations (MD5, XOR) on that
concatenation, and the password to create the value to go into password TLV.

When the server validates the Access-Request, it retrieves the user’s password from
the user credentials database, and performs the same manipulation upon that password.
If the result matches the value in the user-password field of the Access-Request, then
the password sent by the requestor is deemed to be correct.

RADIUS Proxy

The user database, which user credentials sent to a RADIUS server are looked up in, may
not reside on the RADIUS server itself. The external user database may reside on another
RADIUS server, and the communication to that server uses RADIUS. In the case where a
RADIUS server communicates with a NAS, but also acts as a client to another RADIUS
server, is said to be acting as a RADIUS proxy.

There are a variety of situations where RADIUS proxy is useful. Multiple RADIUS servers
could have been set up, holding user databases for different purposes such as
Authentication, Switch management sessions, Authenticating VPN connections, and
Authenticating 802.1X sessions.

But it is convenient for there to be just one address that all the NASs in the network use as
their RADIUS server. That one RADIUS server that the NASs send their requests to, can act
as a proxy for all the servers holding the different user databases.