Eric Geier wrote:
- in this case, they will appear to the FreeRADIUS server as originating from the IP address of your real outside world gateway/NAT box. therefore each of your sites will be presented to the FreeRADIUS server as different IP addresses.
Are you saying it would work, FreeRADIUS would respond to the individual sites?
Yes. This is how *any* networking protocol works.
of course, you could really freak things out by using VPN tunnels from the inside networks of each site direct to the FreeRADIUS box - but if all your sites use the same range of addresses then the server wouldnt have a clue at all of which tunnel to send the reply down!
Why would I want to VPN to the server?
So that your RADIUS packets aren't sent over the Internet in the clear.
with latest version 2.x of FreeRADIUS you can have dynamic clients etc which can select the correct shared secrets depending on special DB lookups etc - but thats not a choice for you currently.
Yes I read about this, and I'll be upgrading soon and moving to Linux. When writing the DB lookups, can I use the User-Name attribute pulled from the requests?
No. Only the source IP address.
This will I think let me search for shared secret based on both the RadiusClient IP and the domain....the other server I tried couldn't do this. I would also consider using the MAC address of the AP instead or in addition to the domain.
I don't think that's necessary. The source IP address should be good enough. Alan DeKok.