Can RADIUS policy file in the authentication step reject a few servers to authenticate and allow all others to authenticate? My understanding is that RADIUS can only use IP-Framed Protocol to allow a number of systems to authenticate and reject the rest but can't do the opposite. Any ideas about how to accomplish this would be appreciated. Thanks. Vinh -- View this message in context: http://www.nabble.com/RADIUS-Authentication-tf3918468.html#a11110867 Sent from the FreeRadius - User mailing list archive at Nabble.com.
Allow everybody (who knows your secret) to use your radius server by entering 0.0.0.0/0 as client address in clents.conf. Use firewall to block access to radius ports for those specific IP addresses. Ivan Kalik Kalik Informatika ISP Dana 14/6/2007, "nguyenvinht" <nguyenvinht81@yahoo.com> piše:
Can RADIUS policy file in the authentication step reject a few servers to authenticate and allow all others to authenticate? My understanding is that RADIUS can only use IP-Framed Protocol to allow a number of systems to authenticate and reject the rest but can't do the opposite. Any ideas about how to accomplish this would be appreciated.
Thanks. Vinh -- View this message in context: http://www.nabble.com/RADIUS-Authentication-tf3918468.html#a11110867 Sent from the FreeRadius - User mailing list archive at Nabble.com.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks for replying. I want to implement this through RADIUS Server. Looking for some code modification or new attributes to accomplish the task. Vinh. tnt wrote:
Allow everybody (who knows your secret) to use your radius server by entering 0.0.0.0/0 as client address in clents.conf. Use firewall to block access to radius ports for those specific IP addresses.
Ivan Kalik Kalik Informatika ISP
Dana 14/6/2007, "nguyenvinht" <nguyenvinht81@yahoo.com> piše:
Can RADIUS policy file in the authentication step reject a few servers to authenticate and allow all others to authenticate? My understanding is
that
RADIUS can only use IP-Framed Protocol to allow a number of systems to authenticate and reject the rest but can't do the opposite. Any ideas about how to accomplish this would be appreciated.
Thanks. Vinh -- View this message in context: http://www.nabble.com/RADIUS-Authentication-tf3918468.html#a11110867 Sent from the FreeRadius - User mailing list archive at Nabble.com.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/RADIUS-Authentication-tf3918468.html#a11129084 Sent from the FreeRadius - User mailing list archive at Nabble.com.
nguyenvinht wrote:
Thanks for replying. I want to implement this through RADIUS Server. Looking for some code modification or new attributes to accomplish the task.
Vinh.
tnt wrote:
Allow everybody (who knows your secret) to use your radius server by entering 0.0.0.0/0 as client address in clents.conf. Use firewall to block access to radius ports for those specific IP addresses.
Allow everybody (who knows your secret) to use your radius server by entering 0.0.0.0/0 as client address in clents.conf. Enter naughty hosts in naughty huntgroup. Check for naughty huntgroup and reject. Huntgroups naughty Packet-Src-IP-Address == naughtyhostone.com naughty Packet-Src-IP-Address == 139.184.12.1 naughty Packet-Src-IP-Address == 127.0.0.1 Users DEFAULT Huntgroup-Name == "naughty", Auth-Type := Reject Apparently RFC states that server must respond ... so unless you use a firewall, naughty hosts will know the servers alive , and be able to flood it with lots of requests. Only way to get FreeRADIUS to be quiet is to modify the source. -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900
Thanks Arran. How and where do I implement those codes in AIX RADIUS? Doable on AIX RADIUS? Vinh Arran Cudbard-Bell wrote:
nguyenvinht wrote:
Thanks for replying. I want to implement this through RADIUS Server. Looking for some code modification or new attributes to accomplish the task.
Vinh.
tnt wrote:
Allow everybody (who knows your secret) to use your radius server by entering 0.0.0.0/0 as client address in clents.conf. Use firewall to block access to radius ports for those specific IP addresses.
Allow everybody (who knows your secret) to use your radius server by entering 0.0.0.0/0 as client address in clents.conf.
Enter naughty hosts in naughty huntgroup. Check for naughty huntgroup and reject.
Huntgroups naughty Packet-Src-IP-Address == naughtyhostone.com naughty Packet-Src-IP-Address == 139.184.12.1 naughty Packet-Src-IP-Address == 127.0.0.1
Users DEFAULT Huntgroup-Name == "naughty", Auth-Type := Reject
Apparently RFC states that server must respond ... so unless you use a firewall, naughty hosts will know the servers alive , and be able to flood it with lots of requests.
Only way to get FreeRADIUS to be quiet is to modify the source. -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/RADIUS-Authentication-tf3918468.html#a11130279 Sent from the FreeRadius - User mailing list archive at Nabble.com.
On Fri 15 Jun 2007, nguyenvinht wrote:
Thanks Arran.
How and where do I implement those codes in AIX RADIUS? Doable on AIX RADIUS?
This is the FreeRADIUS mailing list. Please ask questions about other RADIUS servers elsewhere. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc
By reading the wiki, it said FreeRadius runs on AIX. Any documentation about how to install FreeRadius on AIX? Please let me know. Thanks. Peter Nixonn wrote:
On Fri 15 Jun 2007, nguyenvinht wrote:
Thanks Arran.
How and where do I implement those codes in AIX RADIUS? Doable on AIX RADIUS?
This is the FreeRADIUS mailing list. Please ask questions about other RADIUS servers elsewhere.
--
Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/RADIUS-Authentication-tf3918468.html#a11224860 Sent from the FreeRadius - User mailing list archive at Nabble.com.
Yes. FreeRADIUS has been known to run on AIX but I don't think anyone is actively testing it on AIX at present. Please report any issues you have, and you are welcome to document the installation procedure and put it in the wiki :-) Regards Peter On Thu 21 Jun 2007, nguyenvinht wrote:
By reading the wiki, it said FreeRadius runs on AIX. Any documentation about how to install FreeRadius on AIX? Please let me know. Thanks.
Peter Nixonn wrote:
On Fri 15 Jun 2007, nguyenvinht wrote:
Thanks Arran.
How and where do I implement those codes in AIX RADIUS? Doable on AIX RADIUS?
This is the FreeRADIUS mailing list. Please ask questions about other RADIUS servers elsewhere.
-- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc
Thanks Arran, Is packet-src-ip-address is a defined attribute in the huntgroups? Do you know where I can find more documentation about configurating huntgroups? Any thoughts about how freeRADIUS can stop the naughty hosts? Thanks in advance for your answers. Vinh Arran Cudbard-Bell wrote:
nguyenvinht wrote:
Thanks for replying. I want to implement this through RADIUS Server. Looking for some code modification or new attributes to accomplish the task.
Vinh.
tnt wrote:
Allow everybody (who knows your secret) to use your radius server by entering 0.0.0.0/0 as client address in clents.conf. Use firewall to block access to radius ports for those specific IP addresses.
Allow everybody (who knows your secret) to use your radius server by entering 0.0.0.0/0 as client address in clents.conf.
Enter naughty hosts in naughty huntgroup. Check for naughty huntgroup and reject.
Huntgroups naughty Packet-Src-IP-Address == naughtyhostone.com naughty Packet-Src-IP-Address == 139.184.12.1 naughty Packet-Src-IP-Address == 127.0.0.1
Users DEFAULT Huntgroup-Name == "naughty", Auth-Type := Reject
Apparently RFC states that server must respond ... so unless you use a firewall, naughty hosts will know the servers alive , and be able to flood it with lots of requests.
Only way to get FreeRADIUS to be quiet is to modify the source. -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/RADIUS-Authentication-tf3918468.html#a11257669 Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (4)
-
Arran Cudbard-Bell -
nguyenvinht -
Peter Nixon -
tnt@kalik.co.yu