Duplicate IPs for Radius Clients with different secrets
me at egeier.com
Tue Dec 16 15:47:08 CET 2008
Thanks for your reply.
> > I'm not exactly sure. How does a RADIUS server work over the
> Internet? I'm
> > not connecting the radius clients onto the same LAN. If a radius
> > comes in from the internet, would the server send responses to the
> > IP that it received it from (which I think would work for my case) or
> > it send to the radius client IP?
> > Here's what I'm trying to do:
> > Host a radius server on the Internet...for PEAP 802.1X (WPA-
> > Each AP at the different offices would be set with the Internet IP
> > of where the radius server is running, along with a shared secret.
> > would likely be APs set to the same IP address, that's why I'm asking
> > all this.
> i'm having a quick stab in the dark here - I'm guessing
> that your APs will have local non routed addresses on their
> LAN - eg 192.168.x.x or 172.16.x.x etc
Yes, that's correct.
> - in this case, they
> will appear to the FreeRADIUS server as originating from the
> IP address of your real outside world gateway/NAT box. therefore
> each of your sites will be presented to the FreeRADIUS server
> as different IP addresses.
Are you saying it would work, FreeRADIUS would respond to the individual
> of course, you could really freak things out by using
> VPN tunnels from the inside networks of each site direct to
> the FreeRADIUS box - but if all your sites use the same range
> of addresses then the server wouldnt have a clue at all of which
> tunnel to send the reply down!
Why would I want to VPN to the server?
> with latest version 2.x of FreeRADIUS you can have dynamic clients
> etc which can select the correct shared secrets depending on
> special DB lookups etc - but thats not a choice for you currently.
Yes I read about this, and I'll be upgrading soon and moving to Linux. When
writing the DB lookups, can I use the User-Name attribute pulled from the
requests? This will I think let me search for shared secret based on both
the RadiusClient IP and the domain....the other server I tried couldn't do
this. I would also consider using the MAC address of the AP instead or in
addition to the domain.
More information about the Freeradius-Users