Scott certainly makes some valuable points.
As with anything in the networking world, there are
several ways to "skin the cat". I think when you're
managing a network of hundreds of NASs, having
a different secret for each, and a different <Client>
clause makes things just a bit unmanagable. It's
an issue of scalability,convenience, etc.
Scott's points are certainly valid and I would
agree that a little access list functionality
would be nice to complement the convenience of
the default client clause.
Mike? Whatcha think of that for a feature request?
John
At 10:24 PM 10/30/99 -0400, you wrote:
>John Coy writes:
>> I use Tom's approach -- set all the secrets the same on
>> all my NAS' and then use a default client statement. It
>> will protect you any which way.
>
>Personally, I think this can pose a security risk. Using the same secrets
>on all the NAS's isn't so bad, though, not quite secure, but the DEFAULT
>client is something that bothers me. What prevents somebody from the net
>from hitting your Radius server and trying to authenticate?
>
>I would either define a seperate CLIENT section for each NAS, or define a
>single CLIENT section and use IdenticalClients to indicate all the other
>NAS's that can also use that section.
>
>I would suggest a couple new features that would allow the above suggestion
>from John work, similar to how Apache does it:
>
> <LIMIT>
> Order Deny,Allow
> AllowFrom <IP_PATTERN> <IP_PATTERN> ...
> DenyFrom <IP_PATTERN> <IP_PATTER> ...
> </LIMIT>
>
>In any the case, keep security in mind when configuring your radius server,
>even if you are sitting behind a firewall or router using filters.
>
>> As for DNS, you should have a primary and a secondary and the
>> chance of both failing should be slim.
>> You can always set several DNS entries on your
>> UNIX host's /etc/resolv.conf which point to off-site DNS
>> servers such as your upstream ISPs DNS servers.
>>
>> At 12:42 AM 10/31/99 +1000, you wrote:
>> >On Sat, Oct 30, 1999 at 07:00:07AM -0600, Chris M wrote:
>> >> Is it a better practice to use IP addresses instead of names for
>> >> <Client>? What about using both (if DNS fails for some reason it can
>> >> check the IP)?
>
>Back to the original question, I think I would prefer to use IP addresses
>over DNS names. We don't use DNS names anywhere in our router card configs,
>radius configs, etc. If all the DNS's go (for instance, part of the network
>goes out), at least they can still connect, authenticate and use the net by
>way of IP addresses (though, not optimal). However, it is only an opinion
>and does not mean to say that DNS addresses are bad.
>
>Just my 2 pence worth.
>
>Scott
>--
> +-=-=-=-=-=-=-=-=-=+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+=-=-=-=-=-=-=-=-+
> Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/
> UNIX Systems Engineer mailto:[EMAIL PROTECTED]
> ICQ 7626282 Work (740)593-9478 Fax (740)593-1944
> +-=-=-=-=-=-=-=-=-=+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+=-=-=-=-=-=-=-=-+
> CNS, HDL Center, Suite 301, Ohio University, Athens, OH 45701-2979
>
>===
>Archive at http://www.thesite.com.au/~radiator/
>To unsubscribe, email '[EMAIL PROTECTED]' with
>'unsubscribe radiator' in the body of the message.
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
