Re: Multiple shared secret per IP?
On 14/02/2017 05:52, "Brian Candler" <b.candler@pobox.com> wrote: On 13/02/2017 14:47, Chris Taylor (chtaylo2) wrote:
user: monitor
source IP: 64.0.0.1
secret: MonitorAgent
^ - That’s easy. To complicate, I need to also authenticate real users from the same source server, using a different shared secret. (anyone can view the one above, so not secure) Ideally, I’d like to also lockdown the above secret key, to the single user.
Could you add a second IP address to the server (i.e. an alias), and bind to that when sending your test queries? I was just wondering about to reply and say exactly the same thing. On my development server I have bound 6 secondary IP addresses to it and use Packet-Src-IP-Address In the first line of the request. http://lists.freeradius.org/pipermail/freeradius-devel/2012-October/007185.h... The other option as suggested is to add multiple IP addresses on the server or a listen statement in the configuration with a new port and use a per port clients to specify the shared secret. In the end after various different ways of achieving it I created my own custom VSA and include that in the request to determine the NAS type. Then for normal NASes I use client shortname and make decisions in code. And for my development server I don't define client shortname and pass it in as an additional VSA.
Thank you all. I think running a secondary IP might be the way to go here. A lot of good suggestions. On 2/13/17, 12:14 PM, "Freeradius-Users on behalf of Peter Lambrechtsen" <freeradius-users-bounces+chtaylo2=cisco.com@lists.freeradius.org on behalf of peter@crypt.nz> wrote: On 14/02/2017 05:52, "Brian Candler" <b.candler@pobox.com> wrote: On 13/02/2017 14:47, Chris Taylor (chtaylo2) wrote: > user: monitor > > source IP: 64.0.0.1 > > secret: MonitorAgent > > > ^ - That’s easy. To complicate, I need to also authenticate real users > from the same source server, using a different shared secret. (anyone can > view the one above, so not secure) Ideally, I’d like to also lockdown the > above secret key, to the single user. > > > Could you add a second IP address to the server (i.e. an alias), and bind to that when sending your test queries? I was just wondering about to reply and say exactly the same thing. On my development server I have bound 6 secondary IP addresses to it and use Packet-Src-IP-Address In the first line of the request. http://lists.freeradius.org/pipermail/freeradius-devel/2012-October/007185.h... The other option as suggested is to add multiple IP addresses on the server or a listen statement in the configuration with a new port and use a per port clients to specify the shared secret. In the end after various different ways of achieving it I created my own custom VSA and include that in the request to determine the NAS type. Then for normal NASes I use client shortname and make decisions in code. And for my development server I don't define client shortname and pass it in as an additional VSA. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I found an interesting work around for anyone interested. If you have a need to have dual secret keys per IP address, the following seems to work: 1.) Create a new listener in sites-enabled/default a. You’ll want to listen on a different port b. Enable: clients = per_socket_clients 2.) In your clients.conf add: clients per_socket_clients { client socket_client { ipaddr = XX.XX.XX.XX secret = Monitor_Agent } } The default listener will continue to use the normal client shortname, while the new listener will use the secret key from socket client. This probably isn’t want this is intended for, but does work! On 2/13/17, 3:53 PM, "Freeradius-Users on behalf of Chris Taylor (chtaylo2)" <freeradius-users-bounces+chtaylo2=cisco.com@lists.freeradius.org on behalf of chtaylo2@cisco.com> wrote: Thank you all. I think running a secondary IP might be the way to go here. A lot of good suggestions. On 2/13/17, 12:14 PM, "Freeradius-Users on behalf of Peter Lambrechtsen" <freeradius-users-bounces+chtaylo2=cisco.com@lists.freeradius.org on behalf of peter@crypt.nz> wrote: On 14/02/2017 05:52, "Brian Candler" <b.candler@pobox.com> wrote: On 13/02/2017 14:47, Chris Taylor (chtaylo2) wrote: > user: monitor > > source IP: 64.0.0.1 > > secret: MonitorAgent > > > ^ - That’s easy. To complicate, I need to also authenticate real users > from the same source server, using a different shared secret. (anyone can > view the one above, so not secure) Ideally, I’d like to also lockdown the > above secret key, to the single user. > > > Could you add a second IP address to the server (i.e. an alias), and bind to that when sending your test queries? I was just wondering about to reply and say exactly the same thing. On my development server I have bound 6 secondary IP addresses to it and use Packet-Src-IP-Address In the first line of the request. http://lists.freeradius.org/pipermail/freeradius-devel/2012-October/007185.h... The other option as suggested is to add multiple IP addresses on the server or a listen statement in the configuration with a new port and use a per port clients to specify the shared secret. In the end after various different ways of achieving it I created my own custom VSA and include that in the request to determine the NAS type. Then for normal NASes I use client shortname and make decisions in code. And for my development server I don't define client shortname and pass it in as an additional VSA. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Chris Taylor (chtaylo2) -
Peter Lambrechtsen