public secret and public radius server. Is it secure?
Alan DeKok
aland at nitros9.org
Fri Jun 2 18:23:08 CEST 2006
sophana <sophana at zizi.ath.cx> wrote:
> In my project, I don't own the hotspots, and don't know about the
> hotspots ISPs.
> The hotspots communicate to the radius server though the internet.
I would suggest using another method to get a secure connection to
the hotspot. Maybe IPSec.
Barring that, each hotspot has a dynamic IP within a small network
range. So you can list the network in "clients.conf", and at least
have one shared secret per hotspot location. This *is* documented in
clients.conf, please read it.
> Ok. I don't know much about the radius protocol details, maybe you could
> help me understanding how secure would be a solution where the secret is
> know by everybody.
I thought I said it WOULDN'T be secure. What part of my response
was unclear?
> Now, once a user is authenticated, how does the nas send accounting info?
Read the documentation. That's what it's there for.
> Does it have to authenticate again, or is its ip address (and its
> (public known)secret) sufficient to authenticate?
> Do you need at least a session id?
You're confused. Users authenticate. NASes don't.
> Imagine that the malicious use cannot listen to the radius
> communications. What can it do without authentication?
Not get on the network? I don't understand why you're asking these
questions.
> I need security, because I will use accounting info to perform
> facturation...
Facturation isn't an english word.
Alan DeKok.
More information about the Freeradius-Users
mailing list