cancel
Showing results for 
Search instead for 
Did you mean: 

SA 2500 accept invalid users authentication

paoloventriglia_
New Contributor

SA 2500 accept invalid users authentication

Hi,

I have a SA2500 that authenticate against a Radius Server for 2 factor authentication.

The users are given a username and an hardware token that issue one-time passwords.

The setup works, however sometimes the SA2500 will authenticate users that don't exist in my radius server. Users such as: dkljfghadklhg with password dlkfhgdagh will be happily authenticated by the SA2500.

The following is the user access log from my SA2500, as you can see 3 invented users have been succesfully authenticated:

Info AUT24326 2008-07-29 14:45:49 - ive - [86.175.0.68] VictoriaL(**** Radius)[] - Primary authentication successful for VictoriaL/**** Radius from 86.175.0.68

Info AUT24326 2008-07-29 13:47:39 - ive - [192.168.1.114] PaoloV(**** Radius)[] - Primary authentication successful for PaoloV/**** Radius from 192.168.1.114

Info AUT24326 2008-07-29 12:11:48 - ive - [192.168.1.114] zsdtgjxfjxfh(**** Radius)[] - Primary authentication successful for zsdtgjxfjxfh/**** Radius from 192.168.1.114

Info AUT24326 2008-07-29 11:56:52 - ive - [192.168.1.51] fqerqsdfqc(**** Radius)[] - Primary authentication successful for fqerqsdfqc/**** Radius from 192.168.1.51 I

nfo AUT24326 2008-07-29 11:30:26 - ive - [212.169.28.242] jaswantss(**** Radius)[] - Primary authentication successful for jaswantss/**** Radius from 212.169.28.242

Info AUT24326 2008-07-29 10:31:19 - ive - [212.169.28.242] jaswantss(**** Radius)[] - Primary authentication successful for jaswantss/**** Radius from 212.169.28.242

Info AUT24326 2008-07-29 09:07:18 - ive - [212.183.136.194] RickyG(**** Radius)[] - Primary authentication successful for RickyG/**** Radius from 212.183.136.194

Info AUT24326 2008-07-29 09:05:45 - ive - [91.106.1.157] RichardB(**** Radius)[] - Primary authentication successful for RichardB/**** Radius from 91.106.1.157

Info AUT24326 2008-07-29 08:55:40 - ive - [84.64.100.132] ianp(**** Radius)[] - Primary authentication successful for ianp/**** Radius from 84.64.100.132

Info AUT24326 2008-07-29 08:51:15 - ive - [77.103.10.201] lisaj(**** Radius)[] - Primary authentication successful for lisaj/**** Radius from 77.103.10.201

Info AUT24326 2008-07-29 08:39:19 - ive - [86.175.0.68] VictoriaL(**** Radius)[] - Primary authentication successful for VictoriaL/**** Radius from 86.175.0.68

Info AUT24326 2008-07-29 05:42:09 - ive - [86.132.204.139] jshfjfsdsdk(**** Radius)[] - Primary authentication successful for jshfjfsdsdk/**** Radius from 86.132.204.139

My radius server is a CryptoCard server. Everytime a user logs in an entry in the cryptocard server log is added. Authentication of those invented users is NOT logged in the cryptocard servers logs.

It seems that sometimes the SA2500 ignore the existence of the Radius and accept any given login.

The radius server is the only Realm setup in the SA2500.

Thanks in advance for your help

Paolo

3 REPLIES 3
kenlars_
Super Contributor

Re: SA 2500 accept invalid users authentication

I'd turn on policy tracing to see if I learned something from it. Assuming you can confirm the problem, open a JTAC case - this is a major security risk.
ben_
Frequent Contributor

Re: SA 2500 accept invalid users authentication

But if this is an attack, you should check, why there also exist private IPs in your list.

So this is either from your internal network or the callerID (or similar) from the RADIUS Packet is displayed there...

Ray_
Frequent Contributor

Re: SA 2500 accept invalid users authentication

Do you have a * user anywhere? How about in the local authentication database?

Using RSA without a Radius server and an SA-2500 and 6.1R3 firmware, it does not accept invalid users.

Ray