Weird shared secret issues
Tuc at T-B-O-H.NET
ml at t-b-o-h.net
Sun May 4 21:21:44 CEST 2008
Hi Ivan,
Really, I appreciate the information. I'm sure between the suggestions
given I could do it. However, if it is more than a command line or script on
the radius server itself, its too involved for the person I have to turn it
over to. I just saw that radtest took nasname as an option and thought it
would have a bearing on the secret. Not the case, so I know better. :)
Thanks, Tuc
>
> If you have a spare box on a local network, switch that supports VLANs
> and a router that can tag VLANs - you can spoof the whole outside
> network with simple IP/VLAN configuration:
>
> configure a gateway IP interface for the network you want to spoof on
> your router and tag it with testing VLAN ID - that will create a locally
> connected routing table entry - no creative manual entries needed
>
> configure testing VLAN ID on the switchport to which you will connect the
> testing box
>
> configure IP you want to spoof on the testing box
>
> That shouldn't take more than 5 minutes. Just make sure that you remove
> the spoofed gateway interface from the router after testing in order to
> be able to use the real network.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 4/5/2008, "Tuc at T-B-O-H.NET" <ml at t-b-o-h.net> pi¹e:
>
> >>
> >> Hi,
> >>
> >> > Tech calls in and say that he can't get an appliance working in the field.
> >> > I ask him what secret he's using and the IP address of the appliance. I want to
> >> > be able to be locally logged onto the radius server and use radtest/radclient/rad????
> >> > to be able to query radius asking "If I was IP, and I gave you SECRET, would you
> >> > authorize me?".
> >> >
> >> > So I want to be on 1.2.3.4, but say I'm on 3.4.5.6 . Right now, If I
> >> > say I'm on 3.4.5.6, it still wants the secret for 1.2.3.4 .
> >>
> >> you want to spoof the source address? tricky. one 'easy' way to do this would
> >> be to create a local VPN/GRE tunnel on the linux box under which you could
> >> emulate a remote link.
> >>
> >> configure freeradius to also listen on that virtual address, run the
> >> radclient with the destination being the end point of the VPN - the
> >> linux routing tables would then come into play. you'd have to
> >> reconfigure the VPN end addresses etc each time to emulate an
> >> outside world link...but it would work.
> >>
> > Not worth it. All I'm looking to do is get programatic confirmation
> >that the ip/secret combination in the field is correct. Since this is an
> >appliance, not an OS, I don't have access to radtest on the appliance. To
> >have someone start setting up VPN/GRE/etc is more hassle than its worth.
> >I just have to tell the tech to RTFD closer. I was just hoping I could
> >put together a local form on a webserver that could shell out to a script
> >to make the test.
> >
> > We'll just have to suffer. :) (Or ask the manufacturer to include
> >a utility in the "diagnostic" section)
> >
> > Thanks, Tuc
> >-
> >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
> >
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
More information about the Freeradius-Users
mailing list