The Access-Request Packet
There is no verification or authentication of the RADIUS
Access-Request
packet, as per the RFC specification, by default. The RADIUS server
will perform a check to ensure that the message originated from an IP
address listed as one of its clients, but in this day and age,
spoofed IP addresses are easy to find and use. This is a serious
limitation of the RADIUS protocol design.
As of now, the only workable solution is to require the presence of
the Message-Authenticator attribute in all
Access-Request messages. Briefly, the
Message-Authenticator is the MD5 hash of the
entire Access-Request message, using the
client’s shared secret as the key. When a RADIUS
server is configured to only accept Access-Request
messages with a valid Message-Authenticator
attribute present, it must silently discard those packets with
invalid or missing attributes. More information on the
Message-Authenticator attribute can be found in
Chapter 9 or in the RFC 2869.
If your implementation somehow prevents the use of the
Message-Authenticator attribute, at least consider
using some sort of account-lockout feature, which disables
authentications after a specified number of authentication attempts
within a specified time.