[EXT] Re: Multiple NAS clients within same network

Brian Julin BJulin at clarku.edu
Tue Oct 4 17:39:32 UTC 2022 

Alan DeKok <aland at deployingradius.com> wrote:
>  Use RADIUS over TLS.  It solves this problem, and is secure.
>  I have a document which I will be working through the IETF as a new RADIUS standard.  It will officially deprecate RADIUS/UDP, and require TLS transport for most situations.
>  The document will also explain just how bad an idea it is to run RADIUS/UDP over the Internet.  Do you like people breaking all of your security?  No? 
> Then don't run RADIUS/UDP over the Internet.

That surely cannot be emphasized enough.  It's surprising people do it.

Let's assume the remote site traffic is safely tunneled by other means, though.   If the user cannot set up a RadSec proxy server at the branch, then what I would recommend is to run a remote proxy instance of FreeRADIUS in addition to the main FreeRADIUS server.  Send one of the two clients there instead of to the main RADIUS server.  That proxy server instance would have a separate database of clients with the keys for that particular client appliance, and then would use the home server secret when relaying to the main FreeRADIUS instance.

The two instances could be on the same machine, just using different ports.  You just have to keep the config files separate for each process.

But... as Alan said... I do not recommend this unless you have a means to keep the RADIUS/UDP traffic in an encrypted tunnel between the branch and home office.  And if you have an encrypted tunnel, you can probably run routes through it and give the VPN and WiFi different, private, IP addresses, even if they are the same appliance.

-
List info/subscribe/unsubscribe? See https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=05%7C01%7Cbjulin%40clarku.edu%7Ce744cbbe4faf4df28c2f08daa6219ff9%7Cb5b2263d68aa453eb972aa1421410f80%7C0%7C0%7C638004960609891991%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OHFCE55ub82mzQjaxJ9XLvwxaRc7g%2BxHtxNicCqIiW4%3D&reserved=0

More information about the Freeradius-Users mailing list