Dualstack NAS ignored by RADIUS server when using IPv4
Alan DeKok
aland at deployingradius.com
Mon Feb 11 13:55:27 CET 2013
Ondrej Famera wrote:
> - yes, I restart RADIUS after adding/removing record from DB, but result is that only one address
> is resolved per hostname (so dualstack hostname get resolved only to single IPv6 address - in
> context of RADIUS server, regular DNS query returns both IPv4 and IPv6 address)
RADIUS uses the source IP address to look up the shared secret. There
is no "multiple IPs map to one secret" functionality.
I'd be opposed to adding that, as it doesn't follow traditional RADIUS
practice. i.e. The other RADIUS clients/servers on the network don't
behave this way, either.
On top of that, it gets into issues of responsibility. The DNS system
may not be managed by the RADIUS department. And you don't want the DNS
people to take down your RADIUS server by breaking DNS.
So it's safer to use IP addresses.
> - i haven't tried this yet, but it looks like i still need to resolve hostnames to addresses
> somewhere while my goal was to avoid this and let the RADIUS to do this stuff
RADIUS depends on addresses, not host names. Using host names is wrong.
> - furthermore i have a different secret for every hostname on the same network (like 10.0.0.0/24)
> and according to documentation (raddb/sites-available/dynamic_clients) i need to assign secrets
> to addresses not hostnames, so it looks again as no-go solution for me
You can just use addresses. But maybe you mean you have two
hostnames, both mapping to one address, but with different secrets. No,
that's not going to work. It's impossible. RADIUS doesn't work that way.
Alan DeKok.
More information about the Freeradius-Users
mailing list