Hi, all On Fri, 9 Nov 2007, Alan DeKok wrote:
David Mitchell wrote:
We've run into a potential problem with our FreeRadius setup. We currently use per-client keys for security. We have begun testing dynamic DNS updates and have run into the problem of having the radius server fail to start because an entry in clients.conf refers to a DNS entry which doesn't exist. We could use only IP addresses in clients.conf, but that means we can't have dynamic addresses for clients. We could also use per-subnet keys but we really want to keep the increase in security afforded by having unique keys for each host.
Is it difficult to configure the clients with static IP's? If so, why?
I imagine that wifi hubs on Verizon DSL would have issues with this, because they don't have static IPs.
This would mean that an attacker can send you packets where the source IP has no DNS entry. The RADIUS server would then try to resolve DNS, and fail, potentially causing a DoS attack.
Attackers usually have no choice of whether they have reverse DNS or not. In the case where they do have control over reverse DNS, (and you do DNS 'authentication checking'), then attack is much worse because they can make the PTR be a.b.c.d.e.f.g.h.i.j.k.l.m.... (256 characters) and that can take a long, long time to resolve to an IP address.
Remember, it has to do the right thing both for the cases you want it to work, AND for the cases where you don't want it to die.
I suggest a custom module to configure the clients in the server dynamically, and then a way to update the client database (rather just like some dynamic DNS is updated with a http query)
I would suggest having a two-level client definition. One, define a network/mask for such dynamic clients. Two, define a mapping of secrets, based on the attributes in the packet.
I can't speak for this poster, but that won't work for the guy using certain providers' DSL lines. --Dean -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000