FreeRADIUS 2.1 proxy error "Inconsistent shared secret for home server"

Alan DeKok aland at deployingradius.com
Tue Aug 18 22:21:44 CEST 2009


Adam Bultman wrote:
> I have an existing proxy realm like this:
> 
> realm proxydomain.com {
>         type            = radius
>         authhost        = x.x.x.x:1812
>         accthost        = x.x.x.x:1813

  In version 2, you should use the "home_server" directive.  See
raddb/proxy.conf.  This *is* documented.

> I am trying to set up a new proxy realm, which is a different domain
> name, but uses the same authhost and accthost, but a new shared secret:

  This is *impossible* to do in RADIUS.  By that, I mean *impossible*.

  The client sends packets to the server.  The server looks up the
shared secret by client IP.  It is *impossible* to have two shared
secrets for one client IP.

> The authhost and accthost are reached via a VPN, and they are a
> "clearing house" of sorts - they proxy authentication and accounting for
> multiple companies (not just the one I'm worrying about).

  So... list the shared secret for the *proxy*, not for the upstream
servers.

> Is it not possible to have unique shared secrets for unique realms,
> proxied to the same auth and acct hosts?

  RADIUS doesn't work like that.  It's impossible.

  Alan DeKok.



More information about the Freeradius-Users mailing list