Duplicate IPs for Radius Clients with different secrets - allow any client IP?

Anders Holm anders.holm at sysadmin.ie
Wed Dec 17 20:55:24 CET 2008

Eric Geier wrote:
> Thank you for the info, David.
> I think the following is an example of how this could work, which I googled:
>> client {
>>        secret = "%{sql:SELECT secret FROM accesspoints WHERE id =
> %{raw:NAS-Identifier}}"
>>        shortname = "just one of our example networks"
>> }
> I'm thinking I could even just have one client entry like this...but set to
> allow any IP. Is that possible?

client, shared secret = "open" ...

Why bother doing the SQL stuff, if you're going to let anyone use your 
service anyway? Think about it ... clients.conf controls which APs/NAS' 
are allowed to send you stuff to process. If your intention is to open 
it for anyone that can reach your service, why then do the above? The 
end clients are not what will send you requests, the APs are ....... I 
think you've missed the point of the IP addressing for the end clients 
versus how you wish to handle the APs ...

And for a service which allows or denies access for your internal users, 
I wouldn't personally allow anyone from the outside world even get close 
to that service.

You want to understand basic networking and security considerations 
before seriously contemplating this.

Start looking at getting a VPN solution between your offices, or simply 
just put one FreeRADIUS box in each office.

Continue on this path and fairly soon someone will have found your 
wireless setup and the service which allows clients to authenticate 
sitting out in the open. You might as well not have anything in place at 
all then...

> This would prevent me from having to track Internet IP changes among the
> multiple offices and locations where these separate WPA-Enterprise networks
> will be located at.
> Thanks! Eric
>> -----Original Message-----
>> From: freeradius-users-bounces+me=egeier.com at lists.freeradius.org
>> [mailto:freeradius-users-bounces+me=egeier.com at lists.freeradius.org] On
>> Behalf Of wlanmac
>> Sent: Wednesday, December 17, 2008 8:42 AM
>> To: freeradius-users at lists.freeradius.org
>> Subject: Re: Duplicate IPs for Radius Clients with different secrets
>> It's easy! Just google for rlm_raw and use it with a SQL xlat rule to
>> pick out the shared secret from a database. I have been doing this way
>> for years... in FreeRADIUS v1 and v2.
>> David
>> coova.org
>>> Date: Wed, 17 Dec 2008 10:16:17 +0200
>>> From: Johan Meiring <jmeiring at pcservices.co.za>
>>> Subject: Re: Duplicate IPs for Radius Clients with different secrets
>>> To: FreeRadius users mailing list
>>> 	<freeradius-users at lists.freeradius.org>
>>> Message-ID: <4948B551.6030406 at pcservices.co.za>
>>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>> Eric Geier wrote:
>>>> If I understand what you said, I would only need one IP entry (the
>> Internet
>>>> IP) in the config file for each location, right?
>>>> Most of these locations will be using dynamic Internet IPs; I'm not
>> sure
>>>> how'd I keep the config updated. Plus this would make each
>> location/network
>>>> use the same shared secret among all their APs, which I want to
>> prevent.
>>> Alan,
>>> The Nas-Identifier being available to dynamic clients will also solve
>>> Eric's problem.
>>> Any update on when it might be available?
>>> Thanks!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081217/f7cefffd/attachment.html>

More information about the Freeradius-Users mailing list