sophana <sophana@zizi.ath.cx> wrote:
I saw in the freeradius source that the NAS are identified from the ip address, and the secret is determined from it.
That's how RADIUS works.
My problem is that there can be hotspots on dynamic ip addresses. The solution I found actually is to have an unique secret shared with all hotspots. So the secret is known by everybody.
Or, make the hotspots NOT have dynamic IP's. There's no reason why they should have dynamic IP's.
- What can a malicious user can do with the secret? Can it alter accounting and other things? (chillispot uses chap auth-type)
If someone knows the secret, he can do *anything* to the packets without the RADIUS server being able to tell.
- Is there a way of maintaining a per hotspot secret with dynamic ip addresses?
Not really, no. Alan DeKok.