Re: public secret and public radius server. Is it secure?

Sun, 04 Jun 2006 13:32:21 -0700 

Alan DeKok wrote:


sophana <[EMAIL PROTECTED]> wrote:
In my project, I don't own the hotspots, and don't know about the hotspots ISPs. 
The hotspots communicate to the radius server though the internet.


 I would suggest using another method to get a secure connection to
the hotspot.  Maybe IPSec.

 Barring that, each hotspot has a dynamic IP within a small network
range.  So you can list the network in "clients.conf", and at least
have one shared secret per hotspot location.  This *is* documented in
clients.conf, please read it.


 


I don't want to do that, because it is too complex to setup. My users 
setup their hotspot by themself (at least at the beginning)
Setting up a vpn is too complicated. I just want the setup as simple as 
possible.



Ok. I don't know much about the radius protocol details, maybe you could 
help me understanding how secure would be a solution where the secret is 
know by everybody.
   



 I thought I said it WOULDN'T be secure.  What part of my response
was unclear?


 


Now, once a user is authenticated, how does the nas send accounting info?

   



 Read the documentation.  That's what it's there for.


 


Ok sorry for asking. I finally read the RFC2866.

I saw that the accounting request authenticator only depends on the 
famous secret, not on the authentication.

I am now convinced that the secret must remain secret.


But I think there is a solution for having dynamic ip that could be 
implemented.

Please tell me if I'm wrong.

Both the Access Request and Accounting Request MUST have the  
NAS-IP-Address 
<http://www.freeradius.org/rfc/rfc2865.html#NAS-IP-Address> attribute or 
a NAS-Identifier  
<http://www.freeradius.org/rfc/rfc2865.html#NAS-Identifier> attribute 
(or both).
Does this mean that ALL packets sent from client contains at least one 
of these 2 attributes?
So does this mean that the radius server could lookup in its database a 
secret according to one of these attributes instead of the ip address?

That would definitly solve the dynamic ip address problem wouldn'it?


I need security, because I will use accounting info to perform 
facturation...
   



 Facturation isn't an english word.


 


Sorry, facturation is the french word for billing.

Regards

Sophana KOK


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





















					Reply via email to