Re: A trick for configuring freerad to authenticate multiple NASwithdynamic IPs

Fri, 26 Aug 2011 04:45:59 -0700 

Again thanks Arran.

This is quite a handful!

A quick reading about radsec (http://wiki.freeradius.org/RadSec) shows that its 
not supported by freeradius??

What about the "encrypted tunnel" way, can you lead me to a tutorial or MAN 
page that may help me?

Many thanks.

Grace.

  ----- Original Message ----- 
  From: Arran Cudbard-Bell 
  To: FreeRadius users mailing list 
  Sent: Friday, August 26, 2011 3:23 PM
  Subject: Re: A trick for configuring freerad to authenticate multiple 
NASwithdynamic IPs




  On 26 Aug 2011, at 12:08, Grace M. wrote:


    Thank you Arran for quick reply.

    Since the NAS(s) will be in other networks, they will appear to my server 
as dynamic *public ips* and sometimes the NAS(s) will be multiple
    in one external NATed network (such will appear as from 1 public ip). In 
this case I will need to specify a range of puplic ips??


  Yes, either that or use the dynamic-clients virtual server in 
raddb/sites-available to just accept any client. Then use the same shared 
secret for all external clients.


  If you're using an EAP method with some kind of TLS layer then the shared 
secret doesn't really do anything useful, other than providing crude protection 
against DoS attacks (even then that won't always work).


  Incidentally if you are doing PAP or CHAP then you should not be sending the 
RADIUS packets over a public network without using RADSEC or running them 
through some sort of encrypted tunnel. 


  -Arran







    Don't know am making sense.

    Grace
      ----- Original Message -----
      From: Arran Cudbard-Bell
      To: FreeRadius users mailing list
      Sent: Friday, August 26, 2011 2:55 PM
      Subject: Re: A trick for configuring freerad to authenticate multiple NAS 
withdynamic IPs




      On 26 Aug 2011, at 11:49, Grace M. wrote:


        Guyz,

        I have FreeRADIUS Version 2.1.10 working with mysql to authenticate 
uses connected to a number of NAS(s).

        Now, I would like to authenticate NAS(s) which should connect to my 
freerad from other networks (outside my lan) which have dynamic IPs.

        Anyone with a trick on how to configure clients.conf for that?


      You can specify IP ranges for clients? Would this help? Or are the 
dynamic clients extra dynamic?


      -Arran


      Arran Cudbard-Bell
      a.cudba...@freeradius.org


      RADIUS - Half the complexity of Diameter





--------------------------------------------------------------------------



      -
      List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html
    -
    List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


  Arran Cudbard-Bell
  a.cudba...@freeradius.org


  RADIUS - Half the complexity of Diameter




------------------------------------------------------------------------------


  -
  List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to