Testing radius server

gera gera at gera.me
Fri Dec 11 21:00:23 CET 2009


s/link/lingo/

On Fri, Dec 11, 2009 at 12:58 PM, gera <gera at gera.me> wrote:

> As simple as this:
>
> "shared secret", "clients", "user" and so on are all part of the link
> defined on the RFC2865 (where RADIUS is defined).
>
> So, for anyone who already read the RADIUS RFC, understanding how it's
> implemented on freeradius should be easy. If this is confusing for somebody,
> he should propose changes to the RFC.
>
> http://www.ietf.org/rfc/rfc2865.txt
>
> Greetings.
>
>
> On Fri, Dec 11, 2009 at 12:20 PM, <tnt at kalik.net> wrote:
>
>> > Document problems:
>> > Here is an example excerpt from a page on the web:
>> >
>> > CLIENTS
>> > Make sure the clients (portmasters, Linux with portslave etc) are set up
>> > to
>> > use the host FreeRADIUS is running on as authentication and accounting
>> > host.
>> > Configure these clients to use a "radius secret password". For every
>> > client,
>> > also enter this "secret password" into the file /etc/raddb/clients.conf
>> >
>> > Allow me to tell you where my confusion is:
>> > 1-The "clients" becomes confusing, when I see portmasters .etc. Is this
>> > meant the users who want to get access through a NAS or AP?
>>
>> Right, you are confusing clients of radius server with clients of the
>> server that uses radius for authentication. Radius client is a device that
>> uses radius server for authentication. That device is usually a network
>> access server (NAS) which in turn has it's clients trying to use the
>> network. These clients are in radius "speak" called users.
>>
>> > 2-The "host" here meant to be the server? Why is it called host?
>>
>> It's a device on which freeradius is running ie it's hosting this program.
>>
>> > 3-The "radius secret password" is defined again as "secret password" and
>> > "shared secret", all these meant PSK (preshared key). Why is it not
>> called
>> > so? Instead of adding many different words for the same definition. See
>> > I'm
>> > an engineer; definitions are critical to my understanding, and subtle
>> > differences can throw me off. May be I'm too meticulous.
>> >
>> > 4-I looked up the "secret password" in the clients.conf, it was defined
>> as
>> > "shared secret". All this confusion could have been eliminated by just
>> > using
>> > PSK (PreShared Key).
>>
>> Term "preshared key" is mostly associated with wireless. "Shared secret"
>> is preferred term.
>>
>> > 5-Please take a look at this paragraph from the same file:
>> > #
>> > #  You can now specify one secret for a network of clients.
>> > #  When a client request comes in, the BEST match is chosen.
>> > #  i.e. The entry from the smallest possible network.
>> > #
>> > #client 192.168.0.0/24 {
>> > #     secret          = testing123-1
>> > #     shortname       = private-network-1
>> > #}
>> >
>> > 1-The above tells me, every user will have to be entered into Radius
>> with
>> > a
>> > user and password, which is obvious, but why the IP address has to be as
>> > part of this context? A user would use DHCP so this cannot be used.
>>
>> See above. This is where you define radius clients. They have to have a
>> fixed IP for radius server to accept radius requests from them. Security
>> measure.
>>
>> You define users and passwords in users file. Or sql, ldap, use system
>> passwords, Kerberos, PAM, Active Directory etc. Freeradius supports quite
>> a range of options for passwords storage and validation
>>
>> Ivan Kalik
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091211/df04f406/attachment.html>


More information about the Freeradius-Users mailing list