public secret and public radius server. Is it secure?

Alan DeKok aland at
Fri Jun 2 18:23:08 CEST 2006

sophana <sophana at> wrote:
> In my project, I don't own the hotspots, and don't know about the 
> hotspots ISPs.
> The hotspots communicate to the radius server though the internet.

  I would suggest using another method to get a secure connection to
the hotspot.  Maybe IPSec.

  Barring that, each hotspot has a dynamic IP within a small network
range.  So you can list the network in "clients.conf", and at least
have one shared secret per hotspot location.  This *is* documented in
clients.conf, please read it.

> Ok. I don't know much about the radius protocol details, maybe you could 
> help me understanding how secure would be a solution where the secret is 
> know by everybody.

  I thought I said it WOULDN'T be secure.  What part of my response
was unclear?

> Now, once a user is authenticated, how does the nas send accounting info?

  Read the documentation.  That's what it's there for.

> Does it have to authenticate again, or is its ip address (and its 
> (public known)secret) sufficient to authenticate?
> Do you need at least a session id?

  You're confused.  Users authenticate.  NASes don't.

> Imagine that the malicious use cannot listen to the radius 
> communications. What can it do without authentication?

  Not get on the network?  I don't understand why you're asking these

> I need security, because I will use accounting info to perform 
> facturation...

  Facturation isn't an english word.

  Alan DeKok.

More information about the Freeradius-Users mailing list