sophana <sophana@zizi.ath.cx> wrote:
In my project, I don't own the hotspots, and don't know about the hotspots ISPs. The hotspots communicate to the radius server though the internet.
I would suggest using another method to get a secure connection to the hotspot. Maybe IPSec. Barring that, each hotspot has a dynamic IP within a small network range. So you can list the network in "clients.conf", and at least have one shared secret per hotspot location. This *is* documented in clients.conf, please read it.
Ok. I don't know much about the radius protocol details, maybe you could help me understanding how secure would be a solution where the secret is know by everybody.
I thought I said it WOULDN'T be secure. What part of my response was unclear?
Now, once a user is authenticated, how does the nas send accounting info?
Read the documentation. That's what it's there for.
Does it have to authenticate again, or is its ip address (and its (public known)secret) sufficient to authenticate? Do you need at least a session id?
You're confused. Users authenticate. NASes don't.
Imagine that the malicious use cannot listen to the radius communications. What can it do without authentication?
Not get on the network? I don't understand why you're asking these questions.
I need security, because I will use accounting info to perform facturation...
Facturation isn't an english word. Alan DeKok.