Please document dynamic in proxy server section in proxy.conf
aland at deployingradius.com
Thu Mar 19 13:47:16 CET 2015
On Mar 19, 2015, at 2:57 AM, Stefan Winter <stefan.winter at restena.lu> wrote:
>> If two realms claim to be served by a server with IP address
>> 192.0.2.23, we don't want one of these realms to be able to overwrite
>> the key for the other. Either both keys will work for the same IP
>> address, or someone is being dishonest, but it's important not to
>> combine home servers in this instance just because they have the same
>> IP and hostname
> That is, hostname and port? The same IP can run multiple servers on
> different ports with different keys. There's no dishonesty in any of that.
No. The problem is different.
Let’s say we have a proxy which uses *one* list for home servers. In that case, I can take *everyones* roaming down with a simple configuration.
1) I sign up for a roaming consortium, as example.org
2) When proxies ask for my RADIUS server information, I give them *my* certificate, and the RADIUS IP / port for example.com
3) a user logs into the proxy with example.com, and gets the example.com RADIUS server IP/port
4) the certificate presented for that IP/port is for example.org, so the example.com roaming will fail
As a result, the home server TLS information *must* be kept separate for each realm.
More information about the Freeradius-Devel