Multiple radius clients from one IP
arjuniet.28 at gmail.com
Thu Jan 9 17:47:30 CET 2020
I replied from my phone Alan already explained what I wrote in last mail
sorry for duplicacy from my side
On Thu, Jan 9, 2020, 9:53 PM arjun sharma <arjuniet.28 at gmail.com> wrote:
> Please read this it's very much possible what you need to do is on each
> client ( access point) configure radius server auth and acct ports different
> Like on AP 1
> AUTH SERVER = RADIUSIP: PORT 1
> ON AP2
> AUTH SERVER = RADIUSIP: PORT2
> This way virtual severs need to be configured to listen on these ports at
> radius site
> Alan this way client with same ip will be distinguished
> Please read above link
> On Thu, Jan 9, 2020, 7:04 PM Alan DeKok <aland at deployingradius.com> wrote:
>> On Jan 9, 2020, at 7:57 AM, Xander Lammertink <jooppy92 at hotmail.com>
>> > I was working on setting up FreeRADIUS, however I came across the
>> following problem:
>> > I'd like to have the clients of my access point with multiple SSIDs to
>> authenticate using radius.
>> > The way I tried to set this up was by creating multiple clients each
>> having their own secret and refer to a virtual server.
>> > Based on the radius client, the preferred virtual server would be
>> chosen that would select the desired authentication mechanism.
>> Based on *what part* of the RADIUS client? How does the server know
>> which packet comes from which client?
>> > However, when I create two clients with the same "ipaddr" (which is the
>> case for my access point), I get the following error:
>> > freeradius: Failed to add duplicate client client_name
>> Yes. RADIUS clients are distinguished by source IP address. That's
>> how RADIUS works.
>> > When reading the link below I see it's possible to use my approach,
>> except the ipaddr thing is making stuff difficult.
>> > https://networkradius.com/doc/3.0.10/raddb/sites-available/home.html
>> No, that page does *not* said it's possible to use your approach. it
>> says each client can use it's own virtual server. It does *not* say that
>> you can list the same IP address for multiple clients.
>> > So is there a way to have multiple clients authenticate from the same
>> IP address (each referring to another virtual server) without listing on
>> multiple tcp/udp ports?
>> No. RADIUS doesn't work like that.
>> Think of it this way: how does the RADIUS server tell that the packet
>> is from client 1 versus from client 2? What part of the configuration you
>> edited allows the server to make that distinction?
>> i.e. what piece of information lets the server tell the two packets
>> The answer is "nothing". Therefore, what you're doing won't work.
>> Have the server listen on multiple ports, and configure different
>> clients to use different ports.
>> Alan DeKok.
>> List info/subscribe/unsubscribe? See
More information about the Freeradius-Users