public secret and public radius server. Is it secure?

Alan DeKok aland at nitros9.org
Mon Jun 5 06:19:47 CEST 2006


sophana <sophana at zizi.ath.cx> wrote:
> Both the Access Request and Accounting Request MUST have the  
> NAS-IP-Address 
> <http://www.freeradius.org/rfc/rfc2865.html#NAS-IP-Address> attribute or 
> a NAS-Identifier  
> <http://www.freeradius.org/rfc/rfc2865.html#NAS-Identifier> attribute 
> (or both).
> Does this mean that ALL packets sent from client contains at least one 
> of these 2 attributes?

  Yes.

> So does this mean that the radius server could lookup in its database a 
> secret according to one of these attributes instead of the ip address?

  In theory, yes.  In practice, this permits additional attacks that
can compromise your server.

  Please read clients.conf, and implement my suggestion for using
shared secrets for an entire network.  It's by far and away the best
choice.

  Alan DeKok.




More information about the Freeradius-Users mailing list