Too bad, I was hoping there would be a possibility where it would loop through all clients with that IP and check which one has a matching secret. But I guess best options is to use different port. ________________________________ Van: Freeradius-Users <freeradius-users-bounces+jooppy92=hotmail.com@lists.freeradius.org> namens arjun sharma <arjuniet.28@gmail.com> Verzonden: donderdag 9 januari 2020 17:47 Aan: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Onderwerp: Re: Multiple radius clients from one IP I replied from my phone Alan already explained what I wrote in last mail sorry for duplicacy from my side On Thu, Jan 9, 2020, 9:53 PM arjun sharma <arjuniet.28@gmail.com> wrote:
Hi,
https://wiki.freeradius.org/config/Virtual-server
Please read this it's very much possible what you need to do is on each client ( access point) configure radius server auth and acct ports different
Like on AP 1 AUTH SERVER = RADIUSIP: PORT 1
ON AP2 AUTH SERVER = RADIUSIP: PORT2
This way virtual severs need to be configured to listen on these ports at radius site
Alan this way client with same ip will be distinguished
Please read above link
On Thu, Jan 9, 2020, 7:04 PM Alan DeKok <aland@deployingradius.com> wrote:
On Jan 9, 2020, at 7:57 AM, Xander Lammertink <jooppy92@hotmail.com> wrote:
I was working on setting up FreeRADIUS, however I came across the following problem:
I'd like to have the clients of my access point with multiple SSIDs to authenticate using radius. The way I tried to set this up was by creating multiple clients each having their own secret and refer to a virtual server. Based on the radius client, the preferred virtual server would be chosen that would select the desired authentication mechanism.
Based on *what part* of the RADIUS client? How does the server know which packet comes from which client?
However, when I create two clients with the same "ipaddr" (which is the case for my access point), I get the following error: freeradius[1234]: Failed to add duplicate client client_name
Yes. RADIUS clients are distinguished by source IP address. That's how RADIUS works.
When reading the link below I see it's possible to use my approach, except the ipaddr thing is making stuff difficult. https://networkradius.com/doc/3.0.10/raddb/sites-available/home.html
No, that page does *not* said it's possible to use your approach. it says each client can use it's own virtual server. It does *not* say that you can list the same IP address for multiple clients.
So is there a way to have multiple clients authenticate from the same IP address (each referring to another virtual server) without listing on multiple tcp/udp ports?
No. RADIUS doesn't work like that.
Think of it this way: how does the RADIUS server tell that the packet is from client 1 versus from client 2? What part of the configuration you edited allows the server to make that distinction?
i.e. what piece of information lets the server tell the two packets apart?
The answer is "nothing". Therefore, what you're doing won't work.
Have the server listen on multiple ports, and configure different clients to use different ports.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html