The best solution I can think of that I want to mimic is SecureMyWiFi from WiTopia, a hosted radius service (www.witopia.net). Their service works just like I want.
> > Are you saying it would work, FreeRADIUS would respond to the > individual > > sites? > > Yes. This is how *any* networking protocol works. Would the server see request from just coming from the Internet IPs or individual APs...meaning would I have to list each location's Internet IP in the client.conf file? I want to be able to list each AP IP individually, tagged with the domain it belongs to. > >> of course, you could really freak things out by using > >> VPN tunnels from the inside networks of each site direct to > >> the FreeRADIUS box - but if all your sites use the same range > >> of addresses then the server wouldnt have a clue at all of which > >> tunnel to send the reply down! > > > > Why would I want to VPN to the server? > > So that your RADIUS packets aren't sent over the Internet in the > clear. Gotcha, I need to read more about this. > >> with latest version 2.x of FreeRADIUS you can have dynamic clients > >> etc which can select the correct shared secrets depending on > >> special DB lookups etc - but thats not a choice for you currently. > > > > Yes I read about this, and I'll be upgrading soon and moving to > Linux. When > > writing the DB lookups, can I use the User-Name attribute pulled from > the > > requests? > > No. Only the source IP address. Then I'm not sure how I would pull the correct shared secrets...unless it all works per internet IP rather than per AP. > > This will I think let me search for shared secret based on both > > the RadiusClient IP and the domain....the other server I tried > couldn't do > > this. I would also consider using the MAC address of the AP instead > or in > > addition to the domain. > > I don't think that's necessary. The source IP address should be good > enough. Same as above. Thanks, Eric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html