public secret and public radius server. Is it secure?

sophana sophana at zizi.ath.cx
Sun Jun 4 22:24:26 CEST 2006 

Alan DeKok wrote:

>sophana <sophana at zizi.ath.cx> wrote:
>  
>
>>In my project, I don't own the hotspots, and don't know about the 
>>hotspots ISPs.
>>The hotspots communicate to the radius server though the internet.
>>    
>>
>
>  I would suggest using another method to get a secure connection to
>the hotspot.  Maybe IPSec.
>
>  Barring that, each hotspot has a dynamic IP within a small network
>range.  So you can list the network in "clients.conf", and at least
>have one shared secret per hotspot location.  This *is* documented in
>clients.conf, please read it.
>
>  
>
I don't want to do that, because it is too complex to setup. My users 
setup their hotspot by themself (at least at the beginning)
Setting up a vpn is too complicated. I just want the setup as simple as 
possible.

>>Ok. I don't know much about the radius protocol details, maybe you could 
>>help me understanding how secure would be a solution where the secret is 
>>know by everybody.
>>    
>>
>
>  I thought I said it WOULDN'T be secure.  What part of my response
>was unclear?
>
>  
>
>>Now, once a user is authenticated, how does the nas send accounting info?
>>    
>>
>
>  Read the documentation.  That's what it's there for.
>
>  
>
Ok sorry for asking. I finally read the RFC2866.
I saw that the accounting request authenticator only depends on the 
famous secret, not on the authentication.
I am now convinced that the secret must remain secret.

But I think there is a solution for having dynamic ip that could be 
implemented.
Please tell me if I'm wrong.
Both the Access Request and Accounting Request MUST have the  
NAS-IP-Address 
<http://www.freeradius.org/rfc/rfc2865.html#NAS-IP-Address> attribute or 
a NAS-Identifier  
<http://www.freeradius.org/rfc/rfc2865.html#NAS-Identifier> attribute 
(or both).
Does this mean that ALL packets sent from client contains at least one 
of these 2 attributes?
So does this mean that the radius server could lookup in its database a 
secret according to one of these attributes instead of the ip address?
That would definitly solve the dynamic ip address problem wouldn'it?

>>I need security, because I will use accounting info to perform 
>>facturation...
>>    
>>
>
>  Facturation isn't an english word.
>
>  
>
Sorry, facturation is the french word for billing.

Regards

Sophana KOK

More information about the Freeradius-Users mailing list