Eric Geier wrote: >> - in this case, they >> will appear to the FreeRADIUS server as originating from the >> IP address of your real outside world gateway/NAT box. therefore >> each of your sites will be presented to the FreeRADIUS server >> as different IP addresses. > > Are you saying it would work, FreeRADIUS would respond to the individual > sites?
Yes. This is how *any* networking protocol works. >> of course, you could really freak things out by using >> VPN tunnels from the inside networks of each site direct to >> the FreeRADIUS box - but if all your sites use the same range >> of addresses then the server wouldnt have a clue at all of which >> tunnel to send the reply down! > > Why would I want to VPN to the server? So that your RADIUS packets aren't sent over the Internet in the clear. >> with latest version 2.x of FreeRADIUS you can have dynamic clients >> etc which can select the correct shared secrets depending on >> special DB lookups etc - but thats not a choice for you currently. > > Yes I read about this, and I'll be upgrading soon and moving to Linux. When > writing the DB lookups, can I use the User-Name attribute pulled from the > requests? No. Only the source IP address. > This will I think let me search for shared secret based on both > the RadiusClient IP and the domain....the other server I tried couldn't do > this. I would also consider using the MAC address of the AP instead or in > addition to the domain. I don't think that's necessary. The source IP address should be good enough. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html