Hi,
this is again an example where a RadSec extension would come in extremely
handy. Short wrapup: RadSec establishes connections via TCP and TLS and
transports the RADIUS payload over it, so clients can be identified by
their TLS certificate; IPs and shred secrets become obsolete.
Hi,
In my project, I don't own the hotspots, and don't know about the
hotspots ISPs.
The hotspots communicate to the radius server though the internet.
I would suggest using another method to get a secure connection to
the hotspot. Maybe IPSec.
this is again an example where a RadSec
Stefan Winter wrote:
Hi,
In my project, I don't own the hotspots, and don't know about the
hotspots ISPs.
The hotspots communicate to the radius server though the internet.
I would suggest using another method to get a secure connection to
the hotspot.
Stefan Winter [EMAIL PROTECTED] wrote:
this is again an example where a RadSec extension would come in extremely
handy. Short wrapup: RadSec establishes connections via TCP and TLS and
transports the RADIUS payload over it, so clients can be identified by their
TLS certificate; IPs and
If you don't want Dynamic address use VPN between your RADIUS server an your
hotspots.
My question is :
- What can a malicious user can do with the secret? Can it alter
accounting and other things? (chillispot uses chap auth-type)
one is spell it out and try rumble it so he forms a new word
Hi,
I don't want to do that, because it is too complex to setup. My users
setup their hotspot by themself (at least at the beginning)
Setting up a vpn is too complicated. I just want the setup as simple as
possible.
you are planning to roll out captive portals, with RADIUS authentication,
Alan DeKok wrote:
sophana [EMAIL PROTECTED] wrote:
In my project, I don't own the hotspots, and don't know about the
hotspots ISPs.
The hotspots communicate to the radius server though the internet.
I would suggest using another method to get a secure connection to
the hotspot.
sophana [EMAIL PROTECTED] wrote:
Both the Access Request and Accounting Request MUST have the
NAS-IP-Address
http://www.freeradius.org/rfc/rfc2865.html#NAS-IP-Address attribute or
a NAS-Identifier
http://www.freeradius.org/rfc/rfc2865.html#NAS-Identifier attribute
(or both).
Does
My question is :
- What can a malicious user can do with the secret? Can it alter accounting
and other things? (chillispot uses chap auth-type)
one is spell it out and try rumble it so he forms a new word from it
- Is there a way of maintaining a per hotspot secret with dynamic ip
addresses?
vertito wrote:
My question is :
- What can a malicious user can do with the secret? Can it alter accounting
and other things? (chillispot uses chap auth-type)
one is spell it out and try rumble it so he forms a new word from it
Is it a real security problem? I will be using accounting for
sophana [EMAIL PROTECTED] wrote:
I saw in the freeradius source that the NAS are identified from the ip
address, and the secret is determined from it.
That's how RADIUS works.
My problem is that there can be hotspots on dynamic ip addresses.
The solution I found actually is to have an
Alan DeKok wrote:
My problem is that there can be hotspots on dynamic ip addresses.
The solution I found actually is to have an unique secret shared with
all hotspots.
So the secret is known by everybody.
Or, make the hotspots NOT have dynamic IP's. There's no reason why
12 matches
Mail list logo
