'Re: Multiple shared secret per IP?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: Multiple shared secret per IP?
From:       "Chris Taylor (chtaylo2)" <chtaylo2 () cisco ! com>
Date:       2017-02-20 18:34:08
Message-ID: 3E290C50-B0F8-4259-A847-5FA104C742BC () cisco ! com
[Download RAW message or body]

I found an interesting work around for anyone interested. 
If you have a need to have dual secret keys per IP address, the following seems to \
work:

1.) Create a new listener in sites-enabled/default
a. You'll want to listen on a different port
b. Enable:  clients = per_socket_clients
2.) In your clients.conf add:

clients per_socket_clients {
       client socket_client {
               ipaddr = XX.XX.XX.XX
               secret = Monitor_Agent
       }
}

The default listener will continue to use the normal client shortname, while the new \
listener will use the secret key from socket client. This probably isn't want this is \
intended for, but does work!




On 2/13/17, 3:53 PM, "Freeradius-Users on behalf of Chris Taylor (chtaylo2)" \
<freeradius-users-bounces+chtaylo2=cisco.com@lists.freeradius.org on behalf of \
chtaylo2@cisco.com> wrote:

    Thank you all. I think running a secondary IP might be the way to go here. A lot \
of good suggestions.  
    
    
    On 2/13/17, 12:14 PM, "Freeradius-Users on behalf of Peter Lambrechtsen" \
<freeradius-users-bounces+chtaylo2=cisco.com@lists.freeradius.org on behalf of \
peter@crypt.nz> wrote:  
        On 14/02/2017 05:52, "Brian Candler" <b.candler@pobox.com> wrote:
        
        On 13/02/2017 14:47, Chris Taylor (chtaylo2) wrote:
        
        > user: monitor
        >
        > source IP: 64.0.0.1
        >
        > secret: MonitorAgent
        >
        >
        > ^ - That's easy. To complicate, I need to also authenticate real users
        > from the same source server, using a different shared secret.  (anyone can
        > view the one above, so not secure) Ideally, I'd like to also lockdown the
        > above secret key, to the single user.
        >
        >
        >
        
        Could you add a second IP address to the server (i.e. an alias), and bind
        to that when sending your test queries?
        
        
        I was just wondering about to reply and say exactly the same thing.
        
        On my development server I have bound 6 secondary IP addresses to it and
        use
        
        Packet-Src-IP-Address
        
        In the first line of the request.
        
        http://lists.freeradius.org/pipermail/freeradius-devel/2012-October/007185.html
  
        The other option as suggested is to add multiple IP addresses on the server
        or a listen statement in the configuration with a new port and use a per
        port clients to specify the shared secret.
        
        In the end after various different ways of achieving it I created my own
        custom VSA and include that in the request to determine the NAS type. Then
        for normal NASes I use client shortname and make decisions in code. And for
        my development server I don't define client shortname and pass it in as an
        additional VSA.
        -
        List info/subscribe/unsubscribe? See \
http://www.freeradius.org/list/users.html  


["smime.p7s" (application/pkcs7-signature)]
[Attachment #4 (unknown)]

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic