Please document dynamic in proxy server section in proxy.conf

Alan DeKok aland at deployingradius.com
Thu Mar 19 13:47:16 CET 2015


On Mar 19, 2015, at 2:57 AM, Stefan Winter <stefan.winter at restena.lu> wrote:
>>  If two realms claim to be served by a server with IP address
>>  192.0.2.23, we don't want one of these realms to be able to overwrite
>>  the key for the other.  Either both keys will work for the same IP
>>  address, or someone is being dishonest, but it's important not to
>>  combine home servers in this instance just because they have the same
>>  IP and hostname
> 
> That is, hostname and port? The same IP can run multiple servers on
> different ports with different keys. There's no dishonesty in any of that.

  No.  The problem is different.

  Let’s say we have a proxy which uses *one* list for home servers.  In that case, I can take *everyones* roaming down with a simple configuration.

1) I sign up for a roaming consortium, as example.org

2) When proxies ask for my RADIUS server information, I give them *my* certificate, and the RADIUS IP / port for example.com

3) a user logs into the proxy with example.com, and gets the example.com RADIUS server IP/port

4) the certificate presented for that IP/port is for example.org, so the example.com roaming will fail

  As a result, the home server TLS information *must* be kept separate for each realm.

  Alan DeKok.




More information about the Freeradius-Devel mailing list