FreeRADIUS 2.1 proxy error "Inconsistent shared secret for home server"
Alan DeKok
aland at deployingradius.com
Tue Aug 18 22:21:44 CEST 2009
Adam Bultman wrote:
> I have an existing proxy realm like this:
>
> realm proxydomain.com {
> type = radius
> authhost = x.x.x.x:1812
> accthost = x.x.x.x:1813
In version 2, you should use the "home_server" directive. See
raddb/proxy.conf. This *is* documented.
> I am trying to set up a new proxy realm, which is a different domain
> name, but uses the same authhost and accthost, but a new shared secret:
This is *impossible* to do in RADIUS. By that, I mean *impossible*.
The client sends packets to the server. The server looks up the
shared secret by client IP. It is *impossible* to have two shared
secrets for one client IP.
> The authhost and accthost are reached via a VPN, and they are a
> "clearing house" of sorts - they proxy authentication and accounting for
> multiple companies (not just the one I'm worrying about).
So... list the shared secret for the *proxy*, not for the upstream
servers.
> Is it not possible to have unique shared secrets for unique realms,
> proxied to the same auth and acct hosts?
RADIUS doesn't work like that. It's impossible.
Alan DeKok.
More information about the Freeradius-Users
mailing list