Testing radius server

gera gera at gera.me
Fri Dec 11 20:58:58 CET 2009 

As simple as this:

"shared secret", "clients", "user" and so on are all part of the link
defined on the RFC2865 (where RADIUS is defined).

So, for anyone who already read the RADIUS RFC, understanding how it's
implemented on freeradius should be easy. If this is confusing for somebody,
he should propose changes to the RFC.

http://www.ietf.org/rfc/rfc2865.txt

Greetings.

On Fri, Dec 11, 2009 at 12:20 PM, <tnt at kalik.net> wrote:

> > Document problems:
> > Here is an example excerpt from a page on the web:
> >
> > CLIENTS
> > Make sure the clients (portmasters, Linux with portslave etc) are set up
> > to
> > use the host FreeRADIUS is running on as authentication and accounting
> > host.
> > Configure these clients to use a "radius secret password". For every
> > client,
> > also enter this "secret password" into the file /etc/raddb/clients.conf
> >
> > Allow me to tell you where my confusion is:
> > 1-The "clients" becomes confusing, when I see portmasters .etc. Is this
> > meant the users who want to get access through a NAS or AP?
>
> Right, you are confusing clients of radius server with clients of the
> server that uses radius for authentication. Radius client is a device that
> uses radius server for authentication. That device is usually a network
> access server (NAS) which in turn has it's clients trying to use the
> network. These clients are in radius "speak" called users.
>
> > 2-The "host" here meant to be the server? Why is it called host?
>
> It's a device on which freeradius is running ie it's hosting this program.
>
> > 3-The "radius secret password" is defined again as "secret password" and
> > "shared secret", all these meant PSK (preshared key). Why is it not
> called
> > so? Instead of adding many different words for the same definition. See
> > I'm
> > an engineer; definitions are critical to my understanding, and subtle
> > differences can throw me off. May be I'm too meticulous.
> >
> > 4-I looked up the "secret password" in the clients.conf, it was defined
> as
> > "shared secret". All this confusion could have been eliminated by just
> > using
> > PSK (PreShared Key).
>
> Term "preshared key" is mostly associated with wireless. "Shared secret"
> is preferred term.
>
> > 5-Please take a look at this paragraph from the same file:
> > #
> > #  You can now specify one secret for a network of clients.
> > #  When a client request comes in, the BEST match is chosen.
> > #  i.e. The entry from the smallest possible network.
> > #
> > #client 192.168.0.0/24 {
> > #     secret          = testing123-1
> > #     shortname       = private-network-1
> > #}
> >
> > 1-The above tells me, every user will have to be entered into Radius with
> > a
> > user and password, which is obvious, but why the IP address has to be as
> > part of this context? A user would use DHCP so this cannot be used.
>
> See above. This is where you define radius clients. They have to have a
> fixed IP for radius server to accept radius requests from them. Security
> measure.
>
> You define users and passwords in users file. Or sql, ldap, use system
> passwords, Kerberos, PAM, Active Directory etc. Freeradius supports quite
> a range of options for passwords storage and validation
>
> Ivan Kalik
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091211/f9203284/attachment.html>

More information about the Freeradius-Users mailing list