Paul Dekkers <[EMAIL PROTECTED]> wrote:
> No: I assume that is not possible. (But proxy-ing can also be
> bi-directional I guess: the server that forwards a request to a RADIUS
> proxy-server has to be a client, but can be an proxy for a realm too.)
> But ANY client connecting to the proxy can check credentials for EVERY
> realm connected to that infrastructure, correct? (And known by the
> central RADIUS proxy, of course.)
I'm not sure what you mean by that.
> Bottomline: is it desired in this setup to verify credentials on e.g.
> employee's home Access-Points via Radius (when they configure the RADIUS
> themselves, and thus know a secret)? In my option they can exploit this.
Of course! You've given them the secret, so they can do anything,
or pretend to be anyone, that the server allows them to.
Hint: If only one user is coming in from a clients home AP, you can
do;
#---
DEFAULT Client-IP-Address = 1.2.3.4, User-Name != "employee", Auth-Type := Reject
Reply-Message = "Stop trying to play games, employee"
#---
This ensures that only one person can authenticate from that client.
If you give the employees the shared secret, then it would be crazy
to *not* do something like that.
> now, and I'll try to make clearer what I meant:
> When an AP connects to a local RADIUS server for authentication, that
> RADIUS server forwards requests for realms it doesn't know about to an
> central proxy.
If you configure it to do that, yes.
> On that central proxy there has to be an client entry for
> that first RADIUS server (the server that is accessed by the AP), and an
> proxy entry for every realm the proxy knows about.
You're mixing up terms here. It's confusing. Use:
client -> proxy server -> home server
The proxy server must know about the client, share a secret with it,
and which realms to proxy to the home server. The home server must
know about the proxy server, and share a secret with it.
> I was wondering if, when the AP is hacked,
If you give the employee the shared secret for the AP, then they can
send *anything* they want as that AP.
> or the first RADIUS server is hacked, (or the secret is simply known
> and the NAS is replaced by a laptop) there can be ANY request for
> any known realm to the central proxy.
So? Why would you configure the proxy server to forward requests
for every realm to the home server?
The proxy server should filter out bad realms. It's not that hard.
>>[ other servers ]
>
> I haven't seen them. In Radiator, the only other RADIUS-server I know
> about, there are realm entries for forwarding to other servers, and
> client-entries, just as in FreeRadius. I tested this setup by checking
> with radtest via freeradius1 proxied through freeradius2 and then
> proxied to an radiator server where the realm was finally checked: I
> guess this kind of setup works, and one has to be very restrictive about
> RADIUS-clients: e.g. not every home AP of employees of an company should
> check credentials via RADIUS?! In this setup any part of the
> infrastructure can be a weak point.
A client or a server is always a weak point, simply because it
exists, and can be attacked. What's your concern?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
