Multiple radius clients from one IP

arjun sharma arjuniet.28 at gmail.com
Thu Jan 9 17:47:30 CET 2020


I replied from my phone Alan already explained what I wrote in last mail
sorry for duplicacy from my side

On Thu, Jan 9, 2020, 9:53 PM arjun sharma <arjuniet.28 at gmail.com> wrote:

> Hi,
>
> https://wiki.freeradius.org/config/Virtual-server
>
> Please read this it's very much possible what you need to do is on each
> client ( access point) configure radius server auth and acct ports different
>
> Like on AP 1
> AUTH SERVER =  RADIUSIP: PORT 1
>
> ON AP2
> AUTH SERVER =  RADIUSIP: PORT2
>
> This way virtual severs need to be configured to listen on these ports at
> radius site
>
> Alan this way client with same ip will be distinguished
>
> Please read above link
>
> On Thu, Jan 9, 2020, 7:04 PM Alan DeKok <aland at deployingradius.com> wrote:
>
>> On Jan 9, 2020, at 7:57 AM, Xander Lammertink <jooppy92 at hotmail.com>
>> wrote:
>> > I was working on setting up FreeRADIUS, however I came across the
>> following problem:
>> >
>> > I'd like to have the clients of my access point with multiple SSIDs to
>> authenticate using radius.
>> > The way I tried to set this up was by creating multiple clients each
>> having their own secret and refer to a virtual server.
>> > Based on the radius client, the preferred virtual server would be
>> chosen that would select the desired authentication mechanism.
>>
>>   Based on *what part* of the RADIUS client?  How does the server know
>> which packet comes from which client?
>>
>> > However, when I create two clients with the same "ipaddr" (which is the
>> case for my access point), I get the following error:
>> > freeradius[1234]: Failed to add duplicate client client_name
>>
>>   Yes.  RADIUS clients are distinguished by source IP address.  That's
>> how RADIUS works.
>>
>> > When reading the link below I see it's possible to use my approach,
>> except the ipaddr thing is making stuff difficult.
>> > https://networkradius.com/doc/3.0.10/raddb/sites-available/home.html
>>
>>   No, that page does *not* said it's possible to use your approach.  it
>> says each client can use it's own virtual server.  It does *not* say that
>> you can list the same IP address for multiple clients.
>>
>> > So is there a way to have multiple clients authenticate from the same
>> IP address (each referring to another virtual server) without listing on
>> multiple tcp/udp ports?
>>
>>   No.  RADIUS doesn't work like that.
>>
>>   Think of it this way: how does the RADIUS server tell that the packet
>> is from client 1 versus from client 2?  What part of the configuration you
>> edited allows the server to make that distinction?
>>
>>   i.e. what piece of information lets the server tell the two packets
>> apart?
>>
>>   The answer is "nothing".  Therefore, what you're doing won't work.
>>
>>   Have the server listen on multiple ports, and configure different
>> clients to use different ports.
>>
>>   Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
>


More information about the Freeradius-Users mailing list