Multiple radius clients from one IP

arjun sharma arjuniet.28 at gmail.com
Thu Jan 9 17:23:45 CET 2020


Hi,

https://wiki.freeradius.org/config/Virtual-server

Please read this it's very much possible what you need to do is on each
client ( access point) configure radius server auth and acct ports different

Like on AP 1
AUTH SERVER =  RADIUSIP: PORT 1

ON AP2
AUTH SERVER =  RADIUSIP: PORT2

This way virtual severs need to be configured to listen on these ports at
radius site

Alan this way client with same ip will be distinguished

Please read above link

On Thu, Jan 9, 2020, 7:04 PM Alan DeKok <aland at deployingradius.com> wrote:

> On Jan 9, 2020, at 7:57 AM, Xander Lammertink <jooppy92 at hotmail.com>
> wrote:
> > I was working on setting up FreeRADIUS, however I came across the
> following problem:
> >
> > I'd like to have the clients of my access point with multiple SSIDs to
> authenticate using radius.
> > The way I tried to set this up was by creating multiple clients each
> having their own secret and refer to a virtual server.
> > Based on the radius client, the preferred virtual server would be chosen
> that would select the desired authentication mechanism.
>
>   Based on *what part* of the RADIUS client?  How does the server know
> which packet comes from which client?
>
> > However, when I create two clients with the same "ipaddr" (which is the
> case for my access point), I get the following error:
> > freeradius[1234]: Failed to add duplicate client client_name
>
>   Yes.  RADIUS clients are distinguished by source IP address.  That's how
> RADIUS works.
>
> > When reading the link below I see it's possible to use my approach,
> except the ipaddr thing is making stuff difficult.
> > https://networkradius.com/doc/3.0.10/raddb/sites-available/home.html
>
>   No, that page does *not* said it's possible to use your approach.  it
> says each client can use it's own virtual server.  It does *not* say that
> you can list the same IP address for multiple clients.
>
> > So is there a way to have multiple clients authenticate from the same IP
> address (each referring to another virtual server) without listing on
> multiple tcp/udp ports?
>
>   No.  RADIUS doesn't work like that.
>
>   Think of it this way: how does the RADIUS server tell that the packet is
> from client 1 versus from client 2?  What part of the configuration you
> edited allows the server to make that distinction?
>
>   i.e. what piece of information lets the server tell the two packets
> apart?
>
>   The answer is "nothing".  Therefore, what you're doing won't work.
>
>   Have the server listen on multiple ports, and configure different
> clients to use different ports.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list