Duplicate IPs for Radius Clients with different secrets

Eric Geier me at egeier.com
Tue Dec 16 16:33:39 CET 2008


Opps I didn't see this message at first.

Does this go along with what Alan was thinking?

If I understand what you said, I would only need one IP entry (the Internet
IP) in the config file for each location, right?

Most of these locations will be using dynamic Internet IPs; I'm not sure
how'd I keep the config updated. Plus this would make each location/network
use the same shared secret among all their APs, which I want to prevent.

The best solution I can think of that I want to mimic is SecureMyWiFi from
WiTopia, a hosted radius service (www.witopia.net). Their service works just
like I want.

Thanks, Eric

> -----Original Message-----
> From: freeradius-users-bounces+me=egeier.com at lists.freeradius.org
> [mailto:freeradius-users-bounces+me=egeier.com at lists.freeradius.org] On
> Behalf Of Paul Bartell
> Sent: Tuesday, December 16, 2008 2:13 AM
> To: FreeRadius users mailing list
> Subject: Re: Duplicate IPs for Radius Clients with different secrets
> 
> Okay. What you need to do is set ips in the client configuraiton file
> for each of the APs that is going to be authenticating by using their
> external ip address, which is where the connection will appear to come
> from to freeradius. do a freeradius -X and it should be quite
> explanatory, when you try to connect through an AP to it.
> 
> On Mon, Dec 15, 2008 at 6:56 PM, Eric Geier <me at egeier.com> wrote:
> >> >Hi, I'm wondering if someone can point me in the right direction. I
> >> want to
> >> >list radius clients with the same IPs (and different shared
> secrets).
> >> This
> >> >would let me use freeradius among multiple offices, where each
> could
> >> use the
> >> >same IP addresses for the radius clients.
> >>
> >> And how is routing going to work there? How is radius server suposed
> to
> >> send the response back to the correct client? This can work only if
> >> carry radius server from office to office so it works a little bit
> >> here,
> >> little bit there. If you connect those clients onto a network they
> will
> >> all stop working (or, at best, first one you put on the network will
> >> work but others won't).
> >>
> >> Ivan Kalik
> >> Kalik Informatika ISP
> >
> > I'm not exactly sure. How does a RADIUS server work over the
> Internet? I'm
> > not connecting the radius clients onto the same LAN. If a radius
> request
> > comes in from the internet, would the server send responses to the
> Internet
> > IP that it received it from (which I think would work for my case) or
> would
> > it send to the radius client IP?
> >
> > Here's what I'm trying to do:
> > Host a radius server on the Internet...for PEAP 802.1X (WPA-
> enterprise).
> > Each AP at the different offices would be set with the Internet IP
> address
> > of where the radius server is running, along with a shared secret.
> There
> > would likely be APs set to the same IP address, that's why I'm asking
> about
> > all this.
> >
> >> > Hi, I'm wondering if someone can point me in the right direction.
> I
> >> want to
> >> > list radius clients with the same IPs (and different shared
> secrets).
> >> This
> >> > would let me use freeradius among multiple offices, where each
> could
> >> use the
> >> > same IP addresses for the radius clients. I need something very
> >> dynamic;
> >> > manually creating virtual servers in the config file won't work
> well.
> >>
> >>   RADIUS doesn't work that way.
> >>
> >>   Shared secrets are per client IP.  Each client IP is used to look
> up
> >> the shared secret.  You can't have multiple shared secrets for one
> IP.
> >>
> >> > Right now I'm using v1.188.2.4.2.14
> >>
> >>   That's not the server version number.
> >>
> >>   Use "radiusd -v" to get the version information.
> >>
> >>   Alan DeKOk.
> >
> > I know it traditionally doesn't, just checking to see what people
> think and
> > if I might find a way to do what I want to do.
> >
> > What got me thinking something like this could work is when using a
> > different server, I thought I could modify the SQL select statement
> that's
> > used to find the shared secret. For example, the default is "select
> > SharedSecret from NASES where ClientIPAddress='$c'" I thought I could
> just
> > add the following to the end "and where Domain=(function that takes
> the
> > domain from the username...after the @)  I found that server can't
> register
> > the username attribute during the select statement...so it all didn't
> work.
> >
> > Opps. I'm using v1.1.7 because at the moment I'm using FreeRadius.net
> on
> > Windows
> >
> > Thanks for your help guys - Eric
> >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
> 
> 
> 
> --
> Random quote of the week/month/whenever i get to updating it:
> "Opportunity knocked. My doorman threw him out." - Adrienne Gusoff
> 
> "At school you don't get parole, good behavior only brings a longer
> sentence." - The History Boys
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 
> No virus found in this incoming message.
> Checked by AVG - http://www.avg.com
> Version: 8.0.176 / Virus Database: 270.9.18/1850 - Release Date:
> 12/15/2008 5:04 PM




More information about the Freeradius-Users mailing list