Dynamic Clients IP Best practice?
I unfortunately have a large amount of hotspots that are behind dynamic ip's. We have tried to get as many of them onto statics as possible but are having issues with that. After having read through a few dozen different threads and readmes does freeradius have something that has been put into place to address this?( I assume the answer is no or I glazed over while reading and missed the answer) . If there is no built in feature is there a best practice for this? Reverse DNS and / or VPN tunnels are the 2 solutions I can think of that would secure the nas check. Is there something else I am missing I can read up on and look into? Thanks Brent
On Jun 23, 2011, at 9:24 PM, Brent Wilkinson wrote:
I unfortunately have a large amount of hotspots that are behind dynamic ip’s. We have tried to get as many of them onto statics as possible but are having issues with that. After having read through a few dozen different threads and readmes does freeradius have something that has been put into place to address this?( I assume the answer is no or I glazed over while reading and missed the answer) .
If there is no built in feature is there a best practice for this?
Reverse DNS and / or VPN tunnels are the 2 solutions I can think of that would secure the nas check. Is there something else I am missing I can read up on and look into?
You can define an IP range instead of individual client IPs, and then use the same shared secret for all the access points. -Arran
Arran Cudbard-Bell a.cudbardb@freeradius.org RADIUS - Half the Size and Complexity of Diameter
On 06/23/2011 08:24 PM, Brent Wilkinson wrote:
I unfortunately have a large amount of hotspots that are behind dynamic ip’s. We have tried to get as many of them onto statics as possible but are having issues with that. After having read through a few dozen different threads and readmes does freeradius have something that has been put into place to address this?( I assume the answer is no or I glazed over while reading and missed the answer) .
If there is no built in feature is there a best practice for this?
FreeRADIUS has the facility to dynamically create client entries; when a packet from an unknown client is received, a virtual packet is sent through a virtual server, and the reply is used to build a "client" statement. See sites-available/dynamic-clients Because you have the full capability of FreeRADIUS, including SQL/LDAP, scripts, perl/python modules etc. it should be easy to hook any access control system you want in; as long as you have some way to "authenticate" an IP really is a hotspot, or don't care about security ;o) In all seriousness, something like IPSec/GRE is more secure than this. A better solution long-term would be radius-over-TLS, but it's dead certain your APs don't support it.
"Brent Wilkinson" <brent@air2data.com> writes:
I unfortunately have a large amount of hotspots that are behind dynamic ip's. We have tried to get as many of them onto statics as possible but are having issues with that. After having read through a few dozen different threads and readmes does freeradius have something that has been put into place to address this?( I assume the answer is no or I glazed over while reading and missed the answer) .
If there is no built in feature is there a best practice for this?
If you can get the hotspots to report back to you whenever they change their address, then you can put something together by using the dynamic-clients feature. raddb/sites-available/dynamic-clients contains some documentation. You could e.g. combine that with letting the hotspots update their own clients entry in a database when their address changes, of course over a channel you see as secure enough, e.g https, ldaps or mysql over ssl. The advantage compared to the "ip range client" solution is that you get to keep unique shortnames and secrets per hotspot. But I don't want to estimate any security gain, since you must allow the clients to update their own client entry. If one of hotspots is insecure, then the whole network will be insecure. Bjørn
The advantage compared to the "ip range client" solution is that you get to keep unique shortnames and secrets per hotspot. But I don't want to estimate any security gain, since you must allow the clients to update their own client entry. If one of hotspots is insecure, then the whole network will be insecure.
Ok there are a couple of issues with using a database for dynamic clients. 1. The main server thread handles adding dynamic clients and blocks whilst the client is being read out of the database. This means no new requests are passed to the worker threads until the SQL module returns and the client is added. The normal way to mitigate against this is to preload all existing clients out of the SQL DB, but you can't do that in this case because that would create static entries, and potentially cause a conflict when an access point changes IP address (shared secrets would then be incorrect if you were using unique ones). So if lots of APs were active and being added for the first time since the server started you may notice increased latency responding to requests. It also kinda hoses the server if the database becomes inaccessible. 2. Because you're using dynamic IP addresses there's the potential for conflict. If two access points swapped IP allocations and you were using unique shared secrets the AP info would not be updated, the requests would just be rejected with a bad shared secret errors. There is a cache timer to expire entries, but if you set it too short you'll run into real issues with 1). So if you were to use dynamic clients you'd most likely want to use common shared secrets - Honestly with todays computational power they're pretty easy to break anyway (one of the many reasons for RADSEC). The only advantage then is Client-Short-Name, which you could easily populate using SQL XLAT from a database of Mac-Addresses (Calling-Station-ID) to Short-names (or a flat file, just change the key to be Calling-Station-ID). In this instance, if the NAS' aren't in too many different subnets and the subnets aren't likely to change, then IP ranges are still probably the best solution. Dynamic Clients are not really suited to highly dynamic environments. -Arran Arran Cudbard-Bell a.cudbardb@freeradius.org RADIUS - Half the complexity of Diameter
participants (4)
-
Arran Cudbard-Bell -
Bjørn Mork -
Brent Wilkinson -
Phil Mayers