Background knowledge

Radius server can be attacked with a Radius attacker that intercepts a pair of valid Access-Request & its response packets, and performs a dictionary attack against those packets offline.

"Message-Authenticator" attribute MAY be used in any Access-Request. This attribute is not needed if the User-Password attribute is present, but is useful for preventing attacks on other types of authentication. This attribute is intended to thwart attempts by an attacker to setup a "rogue" NAS, and perform online dictionary attacks against the RADIUS server. 

Solution

Now, you can download RadiusCracker (a JAVA application) to test your Radius server. If your Radius server can be cracked, that's to say, your Radius server is not safe. You shall use a safe Radius server. You are fortunate if you are using WinRadius. You  can easily build a safe Radius server by checking the "Access-Request must include "Message-Authenticator"" at "Settings/Authorization.../Basic" of WinRadius. Thus, all Access-Request without "Message-Authenticator" attribute will be silent discarded.

For more information, please contact with us.