RE: Duplicate IPs for Radius Clients with different secrets
The best solution I can think of that I want to mimic is SecureMyWiFi from WiTopia, a hosted radius service (www.witopia.net). Their service works just like I want.
Are you saying it would work, FreeRADIUS would respond to the individual sites?
Yes. This is how *any* networking protocol works.
Would the server see request from just coming from the Internet IPs or individual APs...meaning would I have to list each location's Internet IP in the client.conf file? I want to be able to list each AP IP individually, tagged with the domain it belongs to.
of course, you could really freak things out by using VPN tunnels from the inside networks of each site direct to the FreeRADIUS box - but if all your sites use the same range of addresses then the server wouldnt have a clue at all of which tunnel to send the reply down!
Why would I want to VPN to the server?
So that your RADIUS packets aren't sent over the Internet in the clear.
Gotcha, I need to read more about this.
with latest version 2.x of FreeRADIUS you can have dynamic clients etc which can select the correct shared secrets depending on special DB lookups etc - but thats not a choice for you currently.
Yes I read about this, and I'll be upgrading soon and moving to Linux. When writing the DB lookups, can I use the User-Name attribute pulled from the requests?
No. Only the source IP address.
Then I'm not sure how I would pull the correct shared secrets...unless it all works per internet IP rather than per AP.
This will I think let me search for shared secret based on both the RadiusClient IP and the domain....the other server I tried couldn't do this. I would also consider using the MAC address of the AP instead or in addition to the domain.
I don't think that's necessary. The source IP address should be good enough.
Same as above. Thanks, Eric
participants (1)
-
Eric Geier