Duplicate IPs for Radius Clients with different secrets

Eric Geier me at egeier.com
Tue Dec 16 03:56:20 CET 2008


> >Hi, I'm wondering if someone can point me in the right direction. I
> want to
> >list radius clients with the same IPs (and different shared secrets).
> This
> >would let me use freeradius among multiple offices, where each could
> use the
> >same IP addresses for the radius clients.
> 
> And how is routing going to work there? How is radius server suposed to
> send the response back to the correct client? This can work only if
> carry radius server from office to office so it works a little bit
> here,
> little bit there. If you connect those clients onto a network they will
> all stop working (or, at best, first one you put on the network will
> work but others won't).
> 
> Ivan Kalik
> Kalik Informatika ISP

I'm not exactly sure. How does a RADIUS server work over the Internet? I'm
not connecting the radius clients onto the same LAN. If a radius request
comes in from the internet, would the server send responses to the Internet
IP that it received it from (which I think would work for my case) or would
it send to the radius client IP?

Here's what I'm trying to do:
Host a radius server on the Internet...for PEAP 802.1X (WPA-enterprise).
Each AP at the different offices would be set with the Internet IP address
of where the radius server is running, along with a shared secret. There
would likely be APs set to the same IP address, that's why I'm asking about
all this.

> > Hi, I'm wondering if someone can point me in the right direction. I
> want to
> > list radius clients with the same IPs (and different shared secrets).
> This
> > would let me use freeradius among multiple offices, where each could
> use the
> > same IP addresses for the radius clients. I need something very
> dynamic;
> > manually creating virtual servers in the config file won't work well.
> 
>   RADIUS doesn't work that way.
> 
>   Shared secrets are per client IP.  Each client IP is used to look up
> the shared secret.  You can't have multiple shared secrets for one IP.
> 
> > Right now I'm using v1.188.2.4.2.14
> 
>   That's not the server version number.
> 
>   Use "radiusd -v" to get the version information.
> 
>   Alan DeKOk.

I know it traditionally doesn't, just checking to see what people think and
if I might find a way to do what I want to do.

What got me thinking something like this could work is when using a
different server, I thought I could modify the SQL select statement that's
used to find the shared secret. For example, the default is "select
SharedSecret from NASES where ClientIPAddress='$c'" I thought I could just
add the following to the end "and where Domain=(function that takes the
domain from the username...after the @)  I found that server can't register
the username attribute during the select statement...so it all didn't work.

Opps. I'm using v1.1.7 because at the moment I'm using FreeRadius.net on
Windows

Thanks for your help guys - Eric






More information about the Freeradius-Users mailing list