Duplicate IPs for Radius Clients with different secrets

Eric Geier me at egeier.com
Tue Dec 16 16:46:16 CET 2008

The best solution I can think of that I want to mimic is SecureMyWiFi from
WiTopia, a hosted radius service (www.witopia.net). Their service works just
like I want.

> > Are you saying it would work, FreeRADIUS would respond to the
> individual
> > sites?
>   Yes.  This is how *any* networking protocol works.

Would the server see request from just coming from the Internet IPs or
individual APs...meaning would I have to list each location's Internet IP in
the client.conf file? I want to be able to list each AP IP individually,
tagged with the domain it belongs to.

> >> of course, you could really freak things out by using
> >> VPN tunnels from the inside networks of each site direct to
> >> the FreeRADIUS box - but if all your sites use the same range
> >> of addresses then the server wouldnt have a clue at all of which
> >> tunnel to send the reply down!
> >
> > Why would I want to VPN to the server?
>   So that your RADIUS packets aren't sent over the Internet in the
> clear.

Gotcha, I need to read more about this.

> >> with latest version 2.x of FreeRADIUS you can have dynamic clients
> >> etc which can select the correct shared secrets depending on
> >> special DB lookups etc - but thats not a choice for you currently.
> >
> > Yes I read about this, and I'll be upgrading soon and moving to
> Linux. When
> > writing the DB lookups, can I use the User-Name attribute pulled from
> the
> > requests?
>   No.  Only the source IP address.

Then I'm not sure how I would pull the correct shared secrets...unless it
all works per internet IP rather than per AP.

> > This will I think let me search for shared secret based on both
> > the RadiusClient IP and the domain....the other server I tried
> couldn't do
> > this. I would also consider using the MAC address of the AP instead
> or in
> > addition to the domain.
>   I don't think that's necessary.  The source IP address should be good
> enough.

Same as above.

Thanks, Eric

More information about the Freeradius-Users mailing list