Re: Dynamic clients and NAS-Identifier
Hi, Ivan Kalik wrote: The problem is that the hotspots can be anywhere. They are mostly behind ADSL lines. The source ip address of the radius packet is therefore not predictable. Ahem, it's not. But subnet is. There can't be that many IP pools ADSL providers can use. And you configure the subnet, not exact IP in dynamic-clients. Just make one for each ADSL pool. The problem is that our product is: Buy the hotspot. Install it. We don't care where, as long as it has internet access. To "steal" a quote from freeradius: It just works. :-) I therefore cannot even predict the subnet. The only other way I can thing of is identifying the nas by the NAS-Identifier. Why "other"? That's a bad idea. Don't understand what you mean. To sum up. Currently a nas is "authenticated" by ip address/radius secret. I feel that being able to "authenticate" a nas by nas identifier/radius secret is a very good enhancement. I'm sure that I'm not the only one that have NAS's behind dynamic IPs, and this would make radius traffic from such NAS's much more secure. How many other people on the list has NAS'es behind dynamic IPs. No, that would be less secure. Enhancement woud be to have NAS-Identifier *on top* of Packet-Src-IP-Address. Then you could assign individual shared secrets to each hotspot (at present whole range has to have same shared secret). Agreed. Using both would be more secure. I'm sure we can have a long debate over whether Packet-Src-IP-Address/secret or NAS-Identifier/secret is more secure, but that would probably be a waste of time. Having NAS-Identifier on top of Packet-Src-IP-Address would still allow me to do what I want. You hit the nail on the head above. The problem is that a whole range has to have the same secret. Even if all my customers were behind the same DSL provider, and I threfore have a reduced subnet for clients, they still have to have the same secret, which means my radius secret becomes public knowledge! I would be really great to be able to give each nas its own secret. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic clients and NAS-Identifier
> The problem is that the hotspots can be anywhere. They are mostly > behind ADSL lines. The source ip address of the radius packet is > therefore not predictable. > Ahem, it's not. But subnet is. There can't be that many IP pools ADSL providers can use. And you configure the subnet, not exact IP in dynamic-clients. Just make one for each ADSL pool. > The only other way I can thing of is identifying the nas by the > NAS-Identifier. > Why "other"? That's a bad idea. > To sum up. > Currently a nas is "authenticated" by ip address/radius secret. > I feel that being able to "authenticate" a nas by nas identifier/radius > secret is a very good enhancement. > > I'm sure that I'm not the only one that have NAS's behind dynamic IPs, > and this would make radius traffic from such NAS's much more secure. > No, that would be less secure. Enhancement woud be to have NAS-Identifier *on top* of Packet-Src-IP-Address. Then you could assign individual shared secrets to each hotspot (at present whole range has to have same shared secret). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dynamic clients and NAS-Identifier
> > I'm sure that I'm not the only one that have NAS's behind dynamic IPs, > > and this would make radius traffic from such NAS's much more secure. OK, if you have Dynamic public IP you have two options: 1) use a DNS to identify the dynamic IP of your hotspot. It means that your DSL router or hotspot has capability to update its public IP every x minutes. You can use dyndns.org service. DSL routers normally have this feature. 2) Install a VPN tunnel like PPPTP/L2TP/OVPN... and route all the autentication request for this range. For instance, you have your radius server with IP 10.200.0.11 and your NASes with 10.200.0.x range. All the auth request are sent by the tunnel, so all ones are valid. I tried both methods with good results. However second option is better because you have another way to access to your hotspots since you know which is hotspot IP (tunnel IP (10.200.0.x)). Santiago _ ¡Quítate unos clics! Ahora, Internet Explorer 8 tiene todo lo que te gusta de Windows Live ¡Consíguelo gratis! http://ie8.msn.com/microsoft/internet-explorer-8/es-es/ie8.aspx- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic clients and NAS-Identifier
Johan Meiring wrote: > I realise, i've asked for the before, and it is on your todo list, but > I'd like to make a case again for maybe getting it moved up higher onto > the list. My "to do" list right now is: - consulting work (my *only* source of income is FreeRADIUS) - 3 IETF documents that I'm author / co-author - White paper for a linux conference > The current "clients" structure identify the NAS's by ip address. > While this is perfect for corporate environments, it is not so perfect > for the hotspot environment in which we operate. RADIUS was never designed to work that way. It's insecure. One of the documents I'm writing involves leveraging SSL to allow that capability. But implementations are a long ways out. > We need to somehow authenticate the nas, so someone can not send "rough" > accounting info to radius. You could always write a simple RADIUS proxy that did those checks. It likely could be done in ~200-300 lines of Perl. > I'm sure that I'm not the only one that have NAS's behind dynamic IPs, > and this would make radius traffic from such NAS's much more secure. Maybe... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
