<div>As simple as this:</div><div><br></div>"shared secret", "clients", "user" and so on are all part of the link defined on the RFC2865 (where RADIUS is defined).<div><br></div><div>So, for anyone who already read the RADIUS RFC, understanding how it's implemented on freeradius should be easy. If this is confusing for somebody, he should propose changes to the RFC.</div>
<div><br></div><div><a href="http://www.ietf.org/rfc/rfc2865.txt">http://www.ietf.org/rfc/rfc2865.txt</a></div><div><br></div><div>Greetings.<br><br><div class="gmail_quote">On Fri, Dec 11, 2009 at 12:20 PM, <span dir="ltr"><<a href="mailto:tnt@kalik.net">tnt@kalik.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="im">> Document problems:<br>
> Here is an example excerpt from a page on the web:<br>
><br>
> CLIENTS<br>
> Make sure the clients (portmasters, Linux with portslave etc) are set up<br>
> to<br>
> use the host FreeRADIUS is running on as authentication and accounting<br>
> host.<br>
> Configure these clients to use a "radius secret password". For every<br>
> client,<br>
> also enter this "secret password" into the file /etc/raddb/clients.conf<br>
><br>
> Allow me to tell you where my confusion is:<br>
> 1-The "clients" becomes confusing, when I see portmasters .etc. Is this<br>
> meant the users who want to get access through a NAS or AP?<br>
<br>
</div>Right, you are confusing clients of radius server with clients of the<br>
server that uses radius for authentication. Radius client is a device that<br>
uses radius server for authentication. That device is usually a network<br>
access server (NAS) which in turn has it's clients trying to use the<br>
network. These clients are in radius "speak" called users.<br>
<div class="im"><br>
> 2-The "host" here meant to be the server? Why is it called host?<br>
<br>
</div>It's a device on which freeradius is running ie it's hosting this program.<br>
<div class="im"><br>
> 3-The "radius secret password" is defined again as "secret password" and<br>
> "shared secret", all these meant PSK (preshared key). Why is it not called<br>
> so? Instead of adding many different words for the same definition. See<br>
> I'm<br>
> an engineer; definitions are critical to my understanding, and subtle<br>
> differences can throw me off. May be I'm too meticulous.<br>
><br>
> 4-I looked up the "secret password" in the clients.conf, it was defined as<br>
> "shared secret". All this confusion could have been eliminated by just<br>
> using<br>
> PSK (PreShared Key).<br>
<br>
</div>Term "preshared key" is mostly associated with wireless. "Shared secret"<br>
is preferred term.<br>
<div class="im"><br>
> 5-Please take a look at this paragraph from the same file:<br>
> #<br>
> # You can now specify one secret for a network of clients.<br>
> # When a client request comes in, the BEST match is chosen.<br>
> # i.e. The entry from the smallest possible network.<br>
> #<br>
> #client <a href="http://192.168.0.0/24" target="_blank">192.168.0.0/24</a> {<br>
> # secret = testing123-1<br>
> # shortname = private-network-1<br>
> #}<br>
><br>
> 1-The above tells me, every user will have to be entered into Radius with<br>
> a<br>
> user and password, which is obvious, but why the IP address has to be as<br>
> part of this context? A user would use DHCP so this cannot be used.<br>
<br>
</div>See above. This is where you define radius clients. They have to have a<br>
fixed IP for radius server to accept radius requests from them. Security<br>
measure.<br>
<br>
You define users and passwords in users file. Or sql, ldap, use system<br>
passwords, Kerberos, PAM, Active Directory etc. Freeradius supports quite<br>
a range of options for passwords storage and validation<br>
<br>
Ivan Kalik<br>
<div><div></div><div class="h5"><br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</div></div></blockquote></div><br></div>