Multiple shared secret per IP?
On FreeRadius v.3.0.12. I have a requirement where I need to send test authentications to the F.R. server, which are then proxy’ed. i.e: user: monitor source IP: 64.0.0.1 secret: MonitorAgent ^ - That’s easy. To complicate, I need to also authenticate real users from the same source server, using a different shared secret. (anyone can view the one above, so not secure) Ideally, I’d like to also lockdown the above secret key, to the single user. i.e: user: userA, etc, etc source IP: 64.0.0.1 secret: SD%^GHJ Is it possible to have multiple secret strings per IP or maybe different domains per IP? If not, any recommendations? Thanks!!
Chris Taylor (chtaylo2) <chtaylo2@cisco.com> wrote:
Is it possible to have multiple secret strings per IP or maybe different domains per IP? If not, any recommendations?
Validating the shared secret is one of the very first things done in the RADIUS protocol; if it is not valid, the rest of the data in the packet is not trusted, so there is no trustworthy data outside the IP header to multiplex on. If the monitor utility can send to a different UDP port, I'd just do that and treat them like two different clients. The only hitch is the monitor could stay up when the service goes down if there is a firewalling SNAFU. If the only purpose of this test is for internal reachability determinations, see if using Status-Server is a possibility. Setting up end-to-end testing with a "real" client is sometimes advisable and makes the use of internal test clients a moot point.
Oh actually here's a possible hinky trick I just thought of: Use iptables to inspect the incoming packet for the special username, assuming you can prevent it from being used by a normal user. When you find it, port-forward the packet to an alternate port that hots a different listen/client directive.
On Feb 13, 2017, at 9:47 AM, Chris Taylor (chtaylo2) <chtaylo2@cisco.com> wrote:
Is it possible to have multiple secret strings per IP or maybe different domains per IP? If not, any recommendations?
No. The clients should use IPSec to get different private IPs, or they should use RADIUS over TLS. This is one of the things we're looking at changing in v4. It should be possible to have shared secrets per connection, i.e. (src/dst IP/port) Alan DeKok.
On 13/02/2017 14:47, Chris Taylor (chtaylo2) wrote:
user: monitor
source IP: 64.0.0.1
secret: MonitorAgent
^ - That’s easy. To complicate, I need to also authenticate real users from the same source server, using a different shared secret. (anyone can view the one above, so not secure) Ideally, I’d like to also lockdown the above secret key, to the single user.
Could you add a second IP address to the server (i.e. an alias), and bind to that when sending your test queries?
participants (4)
-
Alan DeKok -
Brian Candler -
Brian Julin -
Chris Taylor (chtaylo2)