Multiple shared secret per IP?

Chris Taylor (chtaylo2) chtaylo2 at cisco.com
Mon Feb 13 21:53:03 CET 2017 

Thank you all. I think running a secondary IP might be the way to go here. A lot of good suggestions.



On 2/13/17, 12:14 PM, "Freeradius-Users on behalf of Peter Lambrechtsen" <freeradius-users-bounces+chtaylo2=cisco.com at lists.freeradius.org on behalf of peter at crypt.nz> wrote:

    On 14/02/2017 05:52, "Brian Candler" <b.candler at pobox.com> wrote:
    
    On 13/02/2017 14:47, Chris Taylor (chtaylo2) wrote:
    
    > user: monitor
    >
    > source IP: 64.0.0.1
    >
    > secret: MonitorAgent
    >
    >
    > ^ - That’s easy. To complicate, I need to also authenticate real users
    > from the same source server, using a different shared secret.  (anyone can
    > view the one above, so not secure) Ideally, I’d like to also lockdown the
    > above secret key, to the single user.
    >
    >
    >
    
    Could you add a second IP address to the server (i.e. an alias), and bind
    to that when sending your test queries?
    
    
    I was just wondering about to reply and say exactly the same thing.
    
    On my development server I have bound 6 secondary IP addresses to it and
    use
    
    Packet-Src-IP-Address
    
    In the first line of the request.
    
    http://lists.freeradius.org/pipermail/freeradius-devel/2012-October/007185.html
    
    The other option as suggested is to add multiple IP addresses on the server
    or a listen statement in the configuration with a new port and use a per
    port clients to specify the shared secret.
    
    In the end after various different ways of achieving it I created my own
    custom VSA and include that in the request to determine the NAS type. Then
    for normal NASes I use client shortname and make decisions in code. And for
    my development server I don't define client shortname and pass it in as an
    additional VSA.
    -
    List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170213/276af905/attachment.bin>

More information about the Freeradius-Users mailing list