Duplicate IPs for Radius Clients with different secrets
Alan DeKok
aland at deployingradius.com
Tue Dec 16 16:26:46 CET 2008
Eric Geier wrote:
>> - in this case, they
>> will appear to the FreeRADIUS server as originating from the
>> IP address of your real outside world gateway/NAT box. therefore
>> each of your sites will be presented to the FreeRADIUS server
>> as different IP addresses.
>
> Are you saying it would work, FreeRADIUS would respond to the individual
> sites?
Yes. This is how *any* networking protocol works.
>> of course, you could really freak things out by using
>> VPN tunnels from the inside networks of each site direct to
>> the FreeRADIUS box - but if all your sites use the same range
>> of addresses then the server wouldnt have a clue at all of which
>> tunnel to send the reply down!
>
> Why would I want to VPN to the server?
So that your RADIUS packets aren't sent over the Internet in the clear.
>> with latest version 2.x of FreeRADIUS you can have dynamic clients
>> etc which can select the correct shared secrets depending on
>> special DB lookups etc - but thats not a choice for you currently.
>
> Yes I read about this, and I'll be upgrading soon and moving to Linux. When
> writing the DB lookups, can I use the User-Name attribute pulled from the
> requests?
No. Only the source IP address.
> This will I think let me search for shared secret based on both
> the RadiusClient IP and the domain....the other server I tried couldn't do
> this. I would also consider using the MAC address of the AP instead or in
> addition to the domain.
I don't think that's necessary. The source IP address should be good
enough.
Alan DeKok.
More information about the Freeradius-Users
mailing list