Hi Marcin, You can create a subnet in clients.conf (e.g. 10.10.10.0/24) that can use the same key. I think that doing 0.0.0.0/0 would be a very bad plan since it only requires that an attacker know the shared key to be able to send valid requests. Since all your devices are matched by a single entry then *all* your devices by definition must use the same key and it becomes more likely that the knowledge of that key will "get out" and you'll have the tedious task (if you even notice) of changing the secret key on every single NAS.
If you can constrain it to a small subnet, then that's slightly better (although still somewhat risky). The best method is to have individual clients listed with *unique* keys per client (yes, I know this is a real pain but if you want security this is about the best you can do with the limited security afforded by the shared key). Rgds, Guy > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Marcin Jessa > Sent: 15 July 2005 11:29 > To: FreeRadius > Subject: Allowing any NAS to connect to my radiusd. > > > Hi. > > I would like to allow any NAS IP to connect to my radius > server restricting connections from NAS only with shared > secret - username and password. Is it possible to use 0.0.0.0 > or ANY in clients.conf/SQL nas table ? What are the security > issues having an open setup like that ? > > Cheers > Marcin Jessa. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
