Thanks for your reply. > > I'm not exactly sure. How does a RADIUS server work over the > Internet? I'm > > not connecting the radius clients onto the same LAN. If a radius > request > > comes in from the internet, would the server send responses to the > Internet > > IP that it received it from (which I think would work for my case) or > would > > it send to the radius client IP? > > > > Here's what I'm trying to do: > > Host a radius server on the Internet...for PEAP 802.1X (WPA- > enterprise). > > Each AP at the different offices would be set with the Internet IP > address > > of where the radius server is running, along with a shared secret. > There > > would likely be APs set to the same IP address, that's why I'm asking > about > > all this. > > i'm having a quick stab in the dark here - I'm guessing > that your APs will have local non routed addresses on their > LAN - eg 192.168.x.x or 172.16.x.x etc
Yes, that's correct. > - in this case, they > will appear to the FreeRADIUS server as originating from the > IP address of your real outside world gateway/NAT box. therefore > each of your sites will be presented to the FreeRADIUS server > as different IP addresses. Are you saying it would work, FreeRADIUS would respond to the individual sites? > of course, you could really freak things out by using > VPN tunnels from the inside networks of each site direct to > the FreeRADIUS box - but if all your sites use the same range > of addresses then the server wouldnt have a clue at all of which > tunnel to send the reply down! Why would I want to VPN to the server? > with latest version 2.x of FreeRADIUS you can have dynamic clients > etc which can select the correct shared secrets depending on > special DB lookups etc - but thats not a choice for you currently. Yes I read about this, and I'll be upgrading soon and moving to Linux. When writing the DB lookups, can I use the User-Name attribute pulled from the requests? This will I think let me search for shared secret based on both the RadiusClient IP and the domain....the other server I tried couldn't do this. I would also consider using the MAC address of the AP instead or in addition to the domain. Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html