Duplicate IPs for Radius Clients with different secrets

Eric Geier me at egeier.com
Tue Dec 16 15:47:08 CET 2008

Thanks for your reply.
> > I'm not exactly sure. How does a RADIUS server work over the
> Internet? I'm
> > not connecting the radius clients onto the same LAN. If a radius
> request
> > comes in from the internet, would the server send responses to the
> Internet
> > IP that it received it from (which I think would work for my case) or
> would
> > it send to the radius client IP?
> >
> > Here's what I'm trying to do:
> > Host a radius server on the Internet...for PEAP 802.1X (WPA-
> enterprise).
> > Each AP at the different offices would be set with the Internet IP
> address
> > of where the radius server is running, along with a shared secret.
> There
> > would likely be APs set to the same IP address, that's why I'm asking
> about
> > all this.
> i'm having a quick stab in the dark here - I'm guessing
> that your APs will have local non routed addresses on their
> LAN - eg 192.168.x.x or 172.16.x.x etc

Yes, that's correct.

> - in this case, they
> will appear to the FreeRADIUS server as originating from the
> IP address of your real outside world gateway/NAT box. therefore
> each of your sites will be presented to the FreeRADIUS server
> as different IP addresses.

Are you saying it would work, FreeRADIUS would respond to the individual

> of course, you could really freak things out by using
> VPN tunnels from the inside networks of each site direct to
> the FreeRADIUS box - but if all your sites use the same range
> of addresses then the server wouldnt have a clue at all of which
> tunnel to send the reply down!

Why would I want to VPN to the server?
> with latest version 2.x of FreeRADIUS you can have dynamic clients
> etc which can select the correct shared secrets depending on
> special DB lookups etc - but thats not a choice for you currently.

Yes I read about this, and I'll be upgrading soon and moving to Linux. When
writing the DB lookups, can I use the User-Name attribute pulled from the
requests? This will I think let me search for shared secret based on both
the RadiusClient IP and the domain....the other server I tried couldn't do
this. I would also consider using the MAC address of the AP instead or in
addition to the domain.


More information about the Freeradius-Users mailing list