Allowing any NAS to connect to my radiusd.

Guy Davies Guy.Davies at telindus.co.uk
Fri Jul 15 12:42:57 CEST 2005 

Hi Marcin,

You can create a subnet in clients.conf (e.g. 10.10.10.0/24) that can
use the same key.  I think that doing 0.0.0.0/0 would be a very bad plan
since it only requires that an attacker know the shared key to be able
to send valid requests.  Since all your devices are matched by a single
entry then *all* your devices by definition must use the same key and it
becomes more likely that the knowledge of that key will "get out" and
you'll have the tedious task (if you even notice) of changing the secret
key on every single NAS.

If you can constrain it to a small subnet, then that's slightly better
(although still somewhat risky).

The best method is to have individual clients listed with *unique* keys
per client (yes, I know this is a real pain but if you want security
this is about the best you can do with the limited security afforded by
the shared key).

Rgds,

Guy

> -----Original Message-----
> From: freeradius-users-bounces at lists.freeradius.org 
> [mailto:freeradius-users-bounces at lists.freeradius.org] On 
> Behalf Of Marcin Jessa
> Sent: 15 July 2005 11:29
> To: FreeRadius
> Subject: Allowing any NAS to connect to my radiusd.
> 
> 
> Hi.
> 
> I would like to allow any NAS IP to connect to my radius 
> server restricting connections from NAS only with shared 
> secret - username and password. Is it possible to use 0.0.0.0 
> or ANY in clients.conf/SQL nas table ? What are the security 
> issues having an open setup like that ?
> 
> Cheers
> Marcin Jessa.
> - 
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 

This e-mail is private and may be confidential and is for the intended recipient only.  If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed.  If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it.  We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free.  You should undertake your own virus checking.  The right to monitor e-mail communications through our network is reserved by us.

More information about the Freeradius-Users mailing list