Multiple secrets for 0.0.0.0/0

Alan DeKok aland at ox.org
Wed Feb 1 02:17:38 CET 2006


Joe Maimon <jmaimon at ttec.com> wrote:
> Dont know what his requirements are, but the ability to allow any client 
> in the world to authenticate to my server with any one of X secrets, 
> thereby allowing me to associate them to client Y as opposed to client Z 
>     is very usefull wherever the IP address range describing the source 
> of client Y and client Z might overlap.

  Sure.  But it's a fairly serious performance hit, and a bad idea
from the security perspective.

> This allows me to have specific configurations for this client, cancel 
> service to only one of the "entities" and to upgrade/change the secret 
> without requiring a flag-day event.

  Hmm... that sounds like it's worth doing.

  The only problem is that this will really work only for packets that
contain Message-Authenticator.

  Alan DeKok.



More information about the Freeradius-Users mailing list