Incoming RADIUS Message Validation
Applies To: Windows Server 2008, Windows Server 2008 R2
The following sections provide information about how Network Policy Server (NPS) validates incoming Remote Authentication Dial-In User Service (RADIUS) messages under various circumstances.
NPS server validation of RADIUS messages
For RADIUS messages for which NPS is acting as RADIUS server, NPS performs the following validation checks:
NPS verifies that the RADIUS message was sent from a configured RADIUS client by checking the source IP address of the RADIUS message.
If the message is not from a configured RADIUS client, it is silently discarded and an event is logged in the system event log.
NPS checks to ensure that the message type is valid for the port on which it was received and then checks the structure of the RADIUS message. Items checked include valid values of the Code field, the size of the RADIUS message, and the size of the RADIUS attributes in the RADIUS message. NPS also checks whether or not the attributes themselves are the expected data type. If the attribute is not the expected data type, or if the RADIUS message is malformed, the message is discarded and an event is logged in the system event log.
The User-Name attribute is checked for the value of the Ping User-Name registry setting. If there is a match between the value of the User-Name attribute and the value of the Ping User-Name registry setting, NPS sends an Access-Reject for authentication requests and an accounting response for accounting requests.
If the Message-Authenticator attribute is present, its value is validated by using the shared secret. A shared secret is a text string that serves as a password between a RADIUS server and a RADIUS client. If the Message-Authenticator attribute is required but missing, or verification of its value fails, the message is silently discarded, and an event is logged in the system event log.
NPS proxy validation of RADIUS request messages
For RADIUS request messages for which NPS is acting as RADIUS proxy, NPS performs the following validation checks:
NPS verifies that the RADIUS message was sent from a configured RADIUS client by checking the source IP address of the RADIUS message.
If the message is not from a configured RADIUS client, it is silently discarded, and an event is logged in the system event log.
NPS checks to ensure that the message type is valid for the port on which it was received and then checks the structure of the RADIUS message. Items checked include valid values of the Code field, the size of the RADIUS message, and the size of the RADIUS attributes in the RADIUS message.
If the RADIUS message is malformed, it is silently discarded and an event is logged in the system event log.
NPS checks for the presence of the Proxy-State attribute and whether the value of the Proxy-State attribute corresponds to an active proxy session in the proxy session table. If the RADIUS message does not contain a valid Proxy-State attribute, it is silently discarded and an event is logged in the system event log.
If the Message-Authenticator attribute is present, its value is validated using the shared secret. If the Message-Authenticator attribute is required but missing, or verification of its value fails, the message is silently discarded, and an event is logged in the system event log.
NPS proxy validation of RADIUS response messages
For RADIUS response messages for which NPS is acting as RADIUS proxy, NPS performs the following validation checks:
NPS verifies that the RADIUS message was sent from a configured remote RADIUS server by checking the source IP address of the RADIUS message.
If the message is not from a configured remote RADIUS server, it is silently discarded and an event is logged in the system event log.
NPS checks to ensure that the message type is valid for the port on which it was received and then checks the structure of the RADIUS message. Items checked include valid values of the Code field, the size of the RADIUS message, and the size of the RADIUS attributes in the RADIUS message.
If the RADIUS message is malformed, it is silently discarded, and an event is logged in the system event log.
NPS checks for the presence of the Proxy-State attribute and whether the value of the Proxy-State attribute corresponds to an active proxy session in the proxy session table. If the RADIUS message does not contain a valid Proxy-State attribute, it is silently discarded and an event is logged in the system event log.
NPS checks the IP source address and UDP source port of the message against the matching entry in the proxy session table to verify that the message was sent from the remote RADIUS server to which the initial request was sent.
The value of the Authenticator field is checked.
If the RADIUS message contains an Authenticator field that is not valid, it is silently discarded and an event is logged in the system event log. This is typically caused by mismatched shared secrets between the NPS server and the remote RADIUS server that sends the RADIUS message.
If the Message-Authenticator attribute is present, its value is validated using the shared secret. If the Message-Authenticator attribute is required but missing, or verification of its value fails, the message is silently discarded, and an event is logged in the system event log.