Testing radius server

tnt at kalik.net tnt at kalik.net
Fri Dec 11 20:20:56 CET 2009


> Document problems:
> Here is an example excerpt from a page on the web:
>
> CLIENTS
> Make sure the clients (portmasters, Linux with portslave etc) are set up
> to
> use the host FreeRADIUS is running on as authentication and accounting
> host.
> Configure these clients to use a "radius secret password". For every
> client,
> also enter this "secret password" into the file /etc/raddb/clients.conf
>
> Allow me to tell you where my confusion is:
> 1-The "clients" becomes confusing, when I see portmasters .etc. Is this
> meant the users who want to get access through a NAS or AP?

Right, you are confusing clients of radius server with clients of the
server that uses radius for authentication. Radius client is a device that
uses radius server for authentication. That device is usually a network
access server (NAS) which in turn has it's clients trying to use the
network. These clients are in radius "speak" called users.

> 2-The "host" here meant to be the server? Why is it called host?

It's a device on which freeradius is running ie it's hosting this program.

> 3-The "radius secret password" is defined again as "secret password" and
> "shared secret", all these meant PSK (preshared key). Why is it not called
> so? Instead of adding many different words for the same definition. See
> I'm
> an engineer; definitions are critical to my understanding, and subtle
> differences can throw me off. May be I'm too meticulous.
>
> 4-I looked up the "secret password" in the clients.conf, it was defined as
> "shared secret". All this confusion could have been eliminated by just
> using
> PSK (PreShared Key).

Term "preshared key" is mostly associated with wireless. "Shared secret"
is preferred term.

> 5-Please take a look at this paragraph from the same file:
> #
> #  You can now specify one secret for a network of clients.
> #  When a client request comes in, the BEST match is chosen.
> #  i.e. The entry from the smallest possible network.
> #
> #client 192.168.0.0/24 {
> #	secret		= testing123-1
> #	shortname	= private-network-1
> #}
>
> 1-The above tells me, every user will have to be entered into Radius with
> a
> user and password, which is obvious, but why the IP address has to be as
> part of this context? A user would use DHCP so this cannot be used.

See above. This is where you define radius clients. They have to have a
fixed IP for radius server to accept radius requests from them. Security
measure.

You define users and passwords in users file. Or sql, ldap, use system
passwords, Kerberos, PAM, Active Directory etc. Freeradius supports quite
a range of options for passwords storage and validation

Ivan Kalik




More information about the Freeradius-Users mailing list