public secret and public radius server. Is it secure?
Alan DeKok
aland at nitros9.org
Fri Jun 2 17:18:24 CEST 2006
sophana <sophana at zizi.ath.cx> wrote:
> I saw in the freeradius source that the NAS are identified from the ip
> address, and the secret is determined from it.
That's how RADIUS works.
> My problem is that there can be hotspots on dynamic ip addresses.
> The solution I found actually is to have an unique secret shared with
> all hotspots.
> So the secret is known by everybody.
Or, make the hotspots NOT have dynamic IP's. There's no reason why
they should have dynamic IP's.
> - What can a malicious user can do with the secret? Can it alter
> accounting and other things? (chillispot uses chap auth-type)
If someone knows the secret, he can do *anything* to the packets
without the RADIUS server being able to tell.
> - Is there a way of maintaining a per hotspot secret with dynamic ip
> addresses?
Not really, no.
Alan DeKok.
More information about the Freeradius-Users
mailing list