Hi,
Ivan Kalik wrote:
The problem is that the hotspots can be anywhere. They are mostly
behind ADSL lines. The source ip address of the radius packet is
therefore not predictable.
Ahem, it's not. But subnet is. There can't be that many IP pools ADSL
providers can use. And you configure the subnet, not exact IP in
dynamic-clients. Just make one for each ADSL pool.
The problem is that our product is:
Buy the hotspot. Install it.
We don't care where, as long as it has internet access.
To "steal" a quote from freeradius: It just works. :-)
I therefore cannot even predict the subnet.
The only other way I can thing of is identifying the nas by the
NAS-Identifier.
Why "other"? That's a bad idea.
Don't understand what you mean.
To sum up.
Currently a nas is "authenticated" by ip address/radius secret.
I feel that being able to "authenticate" a nas by nas identifier/radius
secret is a very good enhancement.
I'm sure that I'm not the only one that have NAS's behind dynamic IPs,
and this would make radius traffic from such NAS's much more secure.
How many other people on the list has NAS'es behind dynamic IPs.
No, that would be less secure. Enhancement woud be to have NAS-Identifier
*on top* of Packet-Src-IP-Address. Then you could assign individual shared
secrets to each hotspot (at present whole range has to have same shared
secret).
Agreed. Using both would be more secure.
I'm sure we can have a long debate over whether
Packet-Src-IP-Address/secret or NAS-Identifier/secret is more secure,
but that would probably be a waste of time.
Having NAS-Identifier on top of Packet-Src-IP-Address would still allow
me to do what I want.
You hit the nail on the head above. The problem is that a whole range
has to have the same secret.
Even if all my customers were behind the same DSL provider, and I
threfore have a reduced subnet for clients, they still have to have the
same secret, which means my radius secret becomes public knowledge!
I would be really great to be able to give each nas its own secret.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
