The User-Password Attribute and Password Attacks
An attacker can get around
any
rate limits
of authentication placed by the administrator of the RADIUS server
because of the use of the stream cipher to protect the
User-Password attribute. Here’s
how it works: the hacker first tries to authenticate against a RADIUS
server using a known good username and a known, but probably
incorrect, password. She takes the resulting
Access-Request packet and figures out the MD5
result of the request authenticator + shared secret combination, as
described earlier. She can then use a brute-force password attack by
switching out the passwords in the packet and using the same request
authenticator and shared secret. This will only work, however, if the
password is less than or equal to 16 characters, since the
User-Password cipher becomes self-synchronizing at the
17th character by including previous
ciphertext in the encryption.