Hello, welcome to the Wednesday, May 31st, 2017 edition of the Sansanet Storms anders Stormcast. My name is Johannes Ulrich and the day I'm recording from Jacksonville, Florida.

If you're using 3 Radius, it's time to update. Now, Radius is a network authentication protocol and it's often used, for example,

in wireless networks to authenticate clients, but can be used in various other setups, in particular

for network devices and the like, and to authenticate users to access a network.

Originally, the protocol was actually used in dial-up modem forms.

If you remember, well, maybe not all of you, when you dialed up to your ISP, you had to provide

credentials.

They were typically validated using radius.

Now based on that legacy, radius itself does actually not protect credentials very well, because

it's sort of built for that serial, that dial-up connection.

So in modern networks, if you're using it over a Wi-Fi network, for example,

you typically use radius over TLS. And then of course TLS is not just useful to actually

encrypt data, but also to authenticate, for example, that you are connecting to the right

server. Now for TLS, there is a very commonly implemented feature that

allows you to resume sessions. So what happens there is that the server keeps track of all the

TLS session IDs and the keys that go with them. If now a client reconnects uses an already cached session ID,

then the server will just try to keep using these existing keys.

The problem with Free Radius is that if you are resuming a session,

that Free Radius assumes that you are already authenticated,

which is not necessarily the case.

You could start your authentication, interrupt it, and then later resume that session,

but you never really completed the initial authentication.

...