Thanks for your reply.
I'm not exactly sure. How does a RADIUS server work over the Internet? I'm not connecting the radius clients onto the same LAN. If a radius request comes in from the internet, would the server send responses to the Internet IP that it received it from (which I think would work for my case) or would it send to the radius client IP?
Here's what I'm trying to do: Host a radius server on the Internet...for PEAP 802.1X (WPA- enterprise). Each AP at the different offices would be set with the Internet IP address of where the radius server is running, along with a shared secret. There would likely be APs set to the same IP address, that's why I'm asking about all this.
i'm having a quick stab in the dark here - I'm guessing that your APs will have local non routed addresses on their LAN - eg 192.168.x.x or 172.16.x.x etc
Yes, that's correct.
- in this case, they will appear to the FreeRADIUS server as originating from the IP address of your real outside world gateway/NAT box. therefore each of your sites will be presented to the FreeRADIUS server as different IP addresses.
Are you saying it would work, FreeRADIUS would respond to the individual sites?
of course, you could really freak things out by using VPN tunnels from the inside networks of each site direct to the FreeRADIUS box - but if all your sites use the same range of addresses then the server wouldnt have a clue at all of which tunnel to send the reply down!
Why would I want to VPN to the server?
with latest version 2.x of FreeRADIUS you can have dynamic clients etc which can select the correct shared secrets depending on special DB lookups etc - but thats not a choice for you currently.
Yes I read about this, and I'll be upgrading soon and moving to Linux. When writing the DB lookups, can I use the User-Name attribute pulled from the requests? This will I think let me search for shared secret based on both the RadiusClient IP and the domain....the other server I tried couldn't do this. I would also consider using the MAC address of the AP instead or in addition to the domain. Thanks!