FreeRadius + MySQL + Multiple Dynamic Clients

Peter Lambrechtsen plambrechtsen at gmail.com
Fri Oct 29 06:11:42 CEST 2010


On Fri, Oct 29, 2010 at 4:33 PM, Tyler Nally <tnally at technally.com> wrote:

> Right... Ok.. so are these different traveling mobile offices in
> documentation of what is called a VLAN (with a dynamic IP to the internet
> side of the router that in turn hands out IP's to it's clients) ?
>

The traveling mobile routers are NAS's (http://wiki.freeradius.org/NAS)


> Somehow the router authenticates by something secret that only it and the
> FreeRadius server knows .. and then the user authenticates via user/password
> FreeRadius a different way. Assuming the router has to authenticate
> successfully first before the users turn.
>

Yes, the NAS and FreeRadius share a Shared Secret.  The users password is
encrypted using the Shared Secret by the NAS before it sends the request to
Free Radius

So probably having a config in your clients.conf like:

client 10.64.0.0/16 {
    secret        = supersecretpassword
    shortname    = MobileNetworkIPAddresses
}

And assign the same shared password onto all your NAS's would be all you
need.

Not all that secure having this over the internet, that's why I said having
a "private office" offering from the Telco would be a better option.  But if
that's not available then you put a firewall in front of your FR box, and
then only traffic from the Telco's Mobile IP Address range is permitted is
probably the best you are going to be able to do.


> I don't want FreeRadius to hand out IP's.  I think I want the AP to do
> that.


That would be up to how you configure your NAS.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20101029/48f830b9/attachment.html>


More information about the Freeradius-Users mailing list