'Re: [EXT] Re: Multiple NAS clients within same network'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: [EXT] Re: Multiple NAS clients within same network
From:       Brian Julin <BJulin () clarku ! edu>
Date:       2022-10-04 17:39:32
Message-ID: BL0PR03MB3988CE0332BB1FF6F588135CB45A9 () BL0PR03MB3988 ! namprd03 ! prod ! outlook ! com
[Download RAW message or body]

Alan DeKok <aland@deployingradius.com> wrote:
> Use RADIUS over TLS.  It solves this problem, and is secure.
> I have a document which I will be working through the IETF as a new RADIUS \
> standard.  It will officially deprecate RADIUS/UDP, and require TLS transport for \
> most situations. The document will also explain just how bad an idea it is to run \
> RADIUS/UDP over the Internet.  Do you like people breaking all of your security?  \
> No?  Then don't run RADIUS/UDP over the Internet.

That surely cannot be emphasized enough.  It's surprising people do it.

Let's assume the remote site traffic is safely tunneled by other means, though.   If \
the user cannot set up a RadSec proxy server at the branch, then what I would \
recommend is to run a remote proxy instance of FreeRADIUS in addition to the main \
FreeRADIUS server.  Send one of the two clients there instead of to the main RADIUS \
server.  That proxy server instance would have a separate database of clients with \
the keys for that particular client appliance, and then would use the home server \
secret when relaying to the main FreeRADIUS instance.

The two instances could be on the same machine, just using different ports.  You just \
have to keep the config files separate for each process.

But... as Alan said... I do not recommend this unless you have a means to keep the \
RADIUS/UDP traffic in an encrypted tunnel between the branch and home office.  And if \
you have an encrypted tunnel, you can probably run routes through it and give the VPN \
and WiFi different, private, IP addresses, even if they are the same appliance.

-
List info/subscribe/unsubscribe? See \
https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2F \
list%2Fusers.html&amp;data=05%7C01%7Cbjulin%40clarku.edu%7Ce744cbbe4faf4df28c2f08daa62 \
19ff9%7Cb5b2263d68aa453eb972aa1421410f80%7C0%7C0%7C638004960609891991%7CUnknown%7CTWFp \
bGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=OHFCE55ub82mzQjaxJ9XLvwxaRc7g%2BxHtxNicCqIiW4%3D&amp;reserved=0
                
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic