Re: (RADIATOR) (Radiator)

Scott Adkins Sat, 30 Oct 1999 18:49:50 -0700
John Coy writes:
> I use Tom's approach -- set all the secrets the same on
> all my NAS' and then use a default client statement.  It
> will protect you any which way.

Personally, I think this can pose a security risk.  Using the same secrets
on all the NAS's isn't so bad, though, not quite secure, but the DEFAULT 
client is something that bothers me.  What prevents somebody from the net
from hitting your Radius server and trying to authenticate?

I would either define a seperate CLIENT section for each NAS, or define a
single CLIENT section and use IdenticalClients to indicate all the other 
NAS's that can also use that section.

I would suggest a couple new features that would allow the above suggestion
from John work, similar to how Apache does it:

  <LIMIT>
    Order Deny,Allow
    AllowFrom <IP_PATTERN> <IP_PATTERN> ...
    DenyFrom <IP_PATTERN> <IP_PATTER> ...
  </LIMIT>

In any the case, keep security in mind when configuring your radius server,
even if you are sitting behind a firewall or router using filters.

> As for DNS, you should have a primary and a secondary and the
> chance of both failing should be slim.
> You can always set several DNS entries on your
> UNIX host's /etc/resolv.conf which point to off-site DNS
> servers such as your upstream ISPs DNS servers.
>
> At 12:42 AM 10/31/99 +1000, you wrote:
> >On Sat, Oct 30, 1999 at 07:00:07AM -0600, Chris M wrote:
> >> Is it a better practice to use IP addresses instead of names for 
> >> <Client>?  What about using both (if DNS fails for some reason it can 
> >> check the IP)?

Back to the original question, I think I would prefer to use IP addresses 
over DNS names.  We don't use DNS names anywhere in our router card configs,
radius configs, etc.  If all the DNS's go (for instance, part of the network
goes out), at least they can still connect, authenticate and use the net by
way of IP addresses (though, not optimal).  However, it is only an opinion
and does not mean to say that DNS addresses are bad.

Just my 2 pence worth.

Scott
-- 
 +-=-=-=-=-=-=-=-=-=+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+=-=-=-=-=-=-=-=-+
      Scott W. Adkins                    http://www.cns.ohiou.edu/~sadkins/
   UNIX Systems Engineer                    mailto:[EMAIL PROTECTED]
        ICQ 7626282                     Work (740)593-9478 Fax (740)593-1944
 +-=-=-=-=-=-=-=-=-=+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+=-=-=-=-=-=-=-=-+
       CNS, HDL Center, Suite 301, Ohio University, Athens, OH 45701-2979

===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) (Radiator)

Reply via email to
