rlm_raw in 3.1.x

Alan DeKok aland at deployingradius.com
Mon Jul 6 15:05:01 CEST 2015


On Jul 6, 2015, at 8:37 AM, Paul Trappitt <paul at freedomwifi.com.au> wrote:
> Thanks, yeah I had found that post. I guess it's not really of much help
> though. Why is it wrong and what is a valid alternative? Seems as though
> the dynamic clients module is a bit "cut off at the knees" in a public wifi
> service provider scenario if all it can access is the src IP address.

  It's about security.  The various fields in the packet are just data.  Anyone can invent anything, and put the data there.  Forging source IPs and having them route across the wider internet is a lot more difficult.

  If you need random machines to be RADIUS clients, you should use RADIUS over TLS.  v3 supports it.  You can put a local proxy onto the remote site, and then have that proxy connect to a central server.  The central server can then do certificate authentication of the edge machines.

  Anything else is insecure, and terrible in practice.  It doesn't matter if it's convenient.  Not using protection is convenient.  But the side effects can be grim.

  If you want to use rlm_raw in v3, go right ahead.  But the build system has changed.  The internal APIs have changed.  You'll have to know C in order to get it working.

  Alan DeKok.




More information about the Freeradius-Devel mailing list