Multiple incoming requests from unknown clients
Diego Matute
dmatute at cyphercor.com
Tue Aug 14 16:29:13 CEST 2012
I guess I misunderstand why knowing the client IP matters, if the shared
secret is passed isn't that enough. The IP address isn't secure either.
Shared secrets are for client-server pairs hence you can have multiple
shared secrets.
What I am trying to do is enable multiple unknown clients to connect to a
single server and be served off of different user stores.
On Tue, Aug 14, 2012 at 10:16 AM, Alan DeKok <aland at deployingradius.com>wrote:
> Diego Matute wrote:
> > The only attributes passed to the server config are related to the
> > source IP address, which is not enough information to determine which
> > policy to apply.
>
> I think you don't understand how RADIUS works.
>
> Keying policies off of client IP is not always good. Keying policies
> off of *unknown* client IPs is bad.
>
> > The use case is configuring FreeRADIUS to accept requests from unknown
> > clients with different policies. By different policies I mean different
> > authentication methods. I thought the secret key could be used to
> > differentiate the calls and apply the correct policy. Have I missed
> > something here?
>
> Yes. RADIUS doesn't work like that. You're confused in your
> terminology. There's no "secret key". It's the "shared secret".
>
> Precision matters. If you ask for a cup of coffee when you really
> wanted a glass of water, you won't get what you want.
>
> > The domain names and potentially IP addresses clients use to configure
> > the target RADIUS server could differ.
>
> RADIUS doesn't use domain names. Domain names *cannot* be trusted.
> RADIUS uses source IP addresses. And it doesn't even trust those. The
> client still needs the shared secret.
>
> > However, in the backend there
> > would be a single server servicing requests. Not a big fan of this
> > approach. Another way would be requiring the client to configure
> > additional attributes to be passed down in the request. Also not a fan
> > of this approach.
>
> All of your approaches are based on fundamental misunderstandings of
> how RADIUS works.
>
> The client IPs have to be known. The client IPs are used to select a
> shared secret. The shared secret is used to verify that the packets
> aren't forged.
>
> Once the server has decided that the packet is OK, the packet is
> proceses through the various policies. These policies determine which
> databases are used, whether or not to proxy the request, what goes in
> the reply, etc.
>
> That's how RADIUS works. I have no idea what you are trying to do.
> From what little I understand, it's much more complicated than necessary.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120814/8c599778/attachment.html>
More information about the Freeradius-Users
mailing list