Duplicate IPs for Radius Clients with different secrets
me at egeier.com
Tue Dec 16 16:33:39 CET 2008
Opps I didn't see this message at first.
Does this go along with what Alan was thinking?
If I understand what you said, I would only need one IP entry (the Internet
IP) in the config file for each location, right?
Most of these locations will be using dynamic Internet IPs; I'm not sure
how'd I keep the config updated. Plus this would make each location/network
use the same shared secret among all their APs, which I want to prevent.
The best solution I can think of that I want to mimic is SecureMyWiFi from
WiTopia, a hosted radius service (www.witopia.net). Their service works just
like I want.
> -----Original Message-----
> From: freeradius-users-bounces+me=egeier.com at lists.freeradius.org
> [mailto:freeradius-users-bounces+me=egeier.com at lists.freeradius.org] On
> Behalf Of Paul Bartell
> Sent: Tuesday, December 16, 2008 2:13 AM
> To: FreeRadius users mailing list
> Subject: Re: Duplicate IPs for Radius Clients with different secrets
> Okay. What you need to do is set ips in the client configuraiton file
> for each of the APs that is going to be authenticating by using their
> external ip address, which is where the connection will appear to come
> from to freeradius. do a freeradius -X and it should be quite
> explanatory, when you try to connect through an AP to it.
> On Mon, Dec 15, 2008 at 6:56 PM, Eric Geier <me at egeier.com> wrote:
> >> >Hi, I'm wondering if someone can point me in the right direction. I
> >> want to
> >> >list radius clients with the same IPs (and different shared
> >> This
> >> >would let me use freeradius among multiple offices, where each
> >> use the
> >> >same IP addresses for the radius clients.
> >> And how is routing going to work there? How is radius server suposed
> >> send the response back to the correct client? This can work only if
> >> carry radius server from office to office so it works a little bit
> >> here,
> >> little bit there. If you connect those clients onto a network they
> >> all stop working (or, at best, first one you put on the network will
> >> work but others won't).
> >> Ivan Kalik
> >> Kalik Informatika ISP
> > I'm not exactly sure. How does a RADIUS server work over the
> Internet? I'm
> > not connecting the radius clients onto the same LAN. If a radius
> > comes in from the internet, would the server send responses to the
> > IP that it received it from (which I think would work for my case) or
> > it send to the radius client IP?
> > Here's what I'm trying to do:
> > Host a radius server on the Internet...for PEAP 802.1X (WPA-
> > Each AP at the different offices would be set with the Internet IP
> > of where the radius server is running, along with a shared secret.
> > would likely be APs set to the same IP address, that's why I'm asking
> > all this.
> >> > Hi, I'm wondering if someone can point me in the right direction.
> >> want to
> >> > list radius clients with the same IPs (and different shared
> >> This
> >> > would let me use freeradius among multiple offices, where each
> >> use the
> >> > same IP addresses for the radius clients. I need something very
> >> dynamic;
> >> > manually creating virtual servers in the config file won't work
> >> RADIUS doesn't work that way.
> >> Shared secrets are per client IP. Each client IP is used to look
> >> the shared secret. You can't have multiple shared secrets for one
> >> > Right now I'm using v188.8.131.52.2.14
> >> That's not the server version number.
> >> Use "radiusd -v" to get the version information.
> >> Alan DeKOk.
> > I know it traditionally doesn't, just checking to see what people
> think and
> > if I might find a way to do what I want to do.
> > What got me thinking something like this could work is when using a
> > different server, I thought I could modify the SQL select statement
> > used to find the shared secret. For example, the default is "select
> > SharedSecret from NASES where ClientIPAddress='$c'" I thought I could
> > add the following to the end "and where Domain=(function that takes
> > domain from the username...after the @) I found that server can't
> > the username attribute during the select statement...so it all didn't
> > Opps. I'm using v1.1.7 because at the moment I'm using FreeRadius.net
> > Windows
> > Thanks for your help guys - Eric
> > -
> > List info/subscribe/unsubscribe? See
> Random quote of the week/month/whenever i get to updating it:
> "Opportunity knocked. My doorman threw him out." - Adrienne Gusoff
> "At school you don't get parole, good behavior only brings a longer
> sentence." - The History Boys
> List info/subscribe/unsubscribe? See
> No virus found in this incoming message.
> Checked by AVG - http://www.avg.com
> Version: 8.0.176 / Virus Database: 270.9.18/1850 - Release Date:
> 12/15/2008 5:04 PM
More information about the Freeradius-Users