Multiple radius clients from one IP

classic Classic list List threaded Threaded
5 messages Options
| Threaded
Open this post in threaded view
|

Multiple radius clients from one IP

Xander Lammertink
Hi all,

I was working on setting up FreeRADIUS, however I came across the following problem:

I'd like to have the clients of my access point with multiple SSIDs to authenticate using radius.
The way I tried to set this up was by creating multiple clients each having their own secret and refer to a virtual server.
Based on the radius client, the preferred virtual server would be chosen that would select the desired authentication mechanism.

However, when I create two clients with the same "ipaddr" (which is the case for my access point), I get the following error:
freeradius[1234]: Failed to add duplicate client client_name

When reading the link below I see it's possible to use my approach, except the ipaddr thing is making stuff difficult.
https://networkradius.com/doc/3.0.10/raddb/sites-available/home.html

So is there a way to have multiple clients authenticate from the same IP address (each referring to another virtual server) without listing on multiple tcp/udp ports?

Thanks for your help!


Current non-working high-level configuration:

listen {
        ...
}
client one {
        ...
        ipaddr = 10.0.0.2
        virtual_server = server_one
}
client two {
        ...
        ipaddr = 10.0.0.2
        virtual_server = server_two
}
server server_one {
        authorize {
                ...
        }
        ...
}
server server_two {
        authorize {
                ...
        }
        ...
}

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Multiple radius clients from one IP

Alan DeKok-2
On Jan 9, 2020, at 7:57 AM, Xander Lammertink <[hidden email]> wrote:
> I was working on setting up FreeRADIUS, however I came across the following problem:
>
> I'd like to have the clients of my access point with multiple SSIDs to authenticate using radius.
> The way I tried to set this up was by creating multiple clients each having their own secret and refer to a virtual server.
> Based on the radius client, the preferred virtual server would be chosen that would select the desired authentication mechanism.

  Based on *what part* of the RADIUS client?  How does the server know which packet comes from which client?

> However, when I create two clients with the same "ipaddr" (which is the case for my access point), I get the following error:
> freeradius[1234]: Failed to add duplicate client client_name

  Yes.  RADIUS clients are distinguished by source IP address.  That's how RADIUS works.

> When reading the link below I see it's possible to use my approach, except the ipaddr thing is making stuff difficult.
> https://networkradius.com/doc/3.0.10/raddb/sites-available/home.html

  No, that page does *not* said it's possible to use your approach.  it says each client can use it's own virtual server.  It does *not* say that you can list the same IP address for multiple clients.

> So is there a way to have multiple clients authenticate from the same IP address (each referring to another virtual server) without listing on multiple tcp/udp ports?

  No.  RADIUS doesn't work like that.

  Think of it this way: how does the RADIUS server tell that the packet is from client 1 versus from client 2?  What part of the configuration you edited allows the server to make that distinction?

  i.e. what piece of information lets the server tell the two packets apart?

  The answer is "nothing".  Therefore, what you're doing won't work.

  Have the server listen on multiple ports, and configure different clients to use different ports.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Multiple radius clients from one IP

arjun sharma
Hi,

https://wiki.freeradius.org/config/Virtual-server

Please read this it's very much possible what you need to do is on each
client ( access point) configure radius server auth and acct ports different

Like on AP 1
AUTH SERVER =  RADIUSIP: PORT 1

ON AP2
AUTH SERVER =  RADIUSIP: PORT2

This way virtual severs need to be configured to listen on these ports at
radius site

Alan this way client with same ip will be distinguished

Please read above link

On Thu, Jan 9, 2020, 7:04 PM Alan DeKok <[hidden email]> wrote:

> On Jan 9, 2020, at 7:57 AM, Xander Lammertink <[hidden email]>
> wrote:
> > I was working on setting up FreeRADIUS, however I came across the
> following problem:
> >
> > I'd like to have the clients of my access point with multiple SSIDs to
> authenticate using radius.
> > The way I tried to set this up was by creating multiple clients each
> having their own secret and refer to a virtual server.
> > Based on the radius client, the preferred virtual server would be chosen
> that would select the desired authentication mechanism.
>
>   Based on *what part* of the RADIUS client?  How does the server know
> which packet comes from which client?
>
> > However, when I create two clients with the same "ipaddr" (which is the
> case for my access point), I get the following error:
> > freeradius[1234]: Failed to add duplicate client client_name
>
>   Yes.  RADIUS clients are distinguished by source IP address.  That's how
> RADIUS works.
>
> > When reading the link below I see it's possible to use my approach,
> except the ipaddr thing is making stuff difficult.
> > https://networkradius.com/doc/3.0.10/raddb/sites-available/home.html
>
>   No, that page does *not* said it's possible to use your approach.  it
> says each client can use it's own virtual server.  It does *not* say that
> you can list the same IP address for multiple clients.
>
> > So is there a way to have multiple clients authenticate from the same IP
> address (each referring to another virtual server) without listing on
> multiple tcp/udp ports?
>
>   No.  RADIUS doesn't work like that.
>
>   Think of it this way: how does the RADIUS server tell that the packet is
> from client 1 versus from client 2?  What part of the configuration you
> edited allows the server to make that distinction?
>
>   i.e. what piece of information lets the server tell the two packets
> apart?
>
>   The answer is "nothing".  Therefore, what you're doing won't work.
>
>   Have the server listen on multiple ports, and configure different
> clients to use different ports.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Multiple radius clients from one IP

arjun sharma
I replied from my phone Alan already explained what I wrote in last mail
sorry for duplicacy from my side

On Thu, Jan 9, 2020, 9:53 PM arjun sharma <[hidden email]> wrote:

> Hi,
>
> https://wiki.freeradius.org/config/Virtual-server
>
> Please read this it's very much possible what you need to do is on each
> client ( access point) configure radius server auth and acct ports different
>
> Like on AP 1
> AUTH SERVER =  RADIUSIP: PORT 1
>
> ON AP2
> AUTH SERVER =  RADIUSIP: PORT2
>
> This way virtual severs need to be configured to listen on these ports at
> radius site
>
> Alan this way client with same ip will be distinguished
>
> Please read above link
>
> On Thu, Jan 9, 2020, 7:04 PM Alan DeKok <[hidden email]> wrote:
>
>> On Jan 9, 2020, at 7:57 AM, Xander Lammertink <[hidden email]>
>> wrote:
>> > I was working on setting up FreeRADIUS, however I came across the
>> following problem:
>> >
>> > I'd like to have the clients of my access point with multiple SSIDs to
>> authenticate using radius.
>> > The way I tried to set this up was by creating multiple clients each
>> having their own secret and refer to a virtual server.
>> > Based on the radius client, the preferred virtual server would be
>> chosen that would select the desired authentication mechanism.
>>
>>   Based on *what part* of the RADIUS client?  How does the server know
>> which packet comes from which client?
>>
>> > However, when I create two clients with the same "ipaddr" (which is the
>> case for my access point), I get the following error:
>> > freeradius[1234]: Failed to add duplicate client client_name
>>
>>   Yes.  RADIUS clients are distinguished by source IP address.  That's
>> how RADIUS works.
>>
>> > When reading the link below I see it's possible to use my approach,
>> except the ipaddr thing is making stuff difficult.
>> > https://networkradius.com/doc/3.0.10/raddb/sites-available/home.html
>>
>>   No, that page does *not* said it's possible to use your approach.  it
>> says each client can use it's own virtual server.  It does *not* say that
>> you can list the same IP address for multiple clients.
>>
>> > So is there a way to have multiple clients authenticate from the same
>> IP address (each referring to another virtual server) without listing on
>> multiple tcp/udp ports?
>>
>>   No.  RADIUS doesn't work like that.
>>
>>   Think of it this way: how does the RADIUS server tell that the packet
>> is from client 1 versus from client 2?  What part of the configuration you
>> edited allows the server to make that distinction?
>>
>>   i.e. what piece of information lets the server tell the two packets
>> apart?
>>
>>   The answer is "nothing".  Therefore, what you're doing won't work.
>>
>>   Have the server listen on multiple ports, and configure different
>> clients to use different ports.
>>
>>   Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Multiple radius clients from one IP

Xander Lammertink
Too bad, I was hoping there would be a possibility where it would loop through all clients with that IP and check which one has a matching secret. But I guess best options is to use different port.

________________________________
Van: Freeradius-Users <freeradius-users-bounces+jooppy92=[hidden email]> namens arjun sharma <[hidden email]>
Verzonden: donderdag 9 januari 2020 17:47
Aan: FreeRadius users mailing list <[hidden email]>
Onderwerp: Re: Multiple radius clients from one IP

I replied from my phone Alan already explained what I wrote in last mail
sorry for duplicacy from my side

On Thu, Jan 9, 2020, 9:53 PM arjun sharma <[hidden email]> wrote:

> Hi,
>
> https://wiki.freeradius.org/config/Virtual-server
>
> Please read this it's very much possible what you need to do is on each
> client ( access point) configure radius server auth and acct ports different
>
> Like on AP 1
> AUTH SERVER =  RADIUSIP: PORT 1
>
> ON AP2
> AUTH SERVER =  RADIUSIP: PORT2
>
> This way virtual severs need to be configured to listen on these ports at
> radius site
>
> Alan this way client with same ip will be distinguished
>
> Please read above link
>
> On Thu, Jan 9, 2020, 7:04 PM Alan DeKok <[hidden email]> wrote:
>
>> On Jan 9, 2020, at 7:57 AM, Xander Lammertink <[hidden email]>
>> wrote:
>> > I was working on setting up FreeRADIUS, however I came across the
>> following problem:
>> >
>> > I'd like to have the clients of my access point with multiple SSIDs to
>> authenticate using radius.
>> > The way I tried to set this up was by creating multiple clients each
>> having their own secret and refer to a virtual server.
>> > Based on the radius client, the preferred virtual server would be
>> chosen that would select the desired authentication mechanism.
>>
>>   Based on *what part* of the RADIUS client?  How does the server know
>> which packet comes from which client?
>>
>> > However, when I create two clients with the same "ipaddr" (which is the
>> case for my access point), I get the following error:
>> > freeradius[1234]: Failed to add duplicate client client_name
>>
>>   Yes.  RADIUS clients are distinguished by source IP address.  That's
>> how RADIUS works.
>>
>> > When reading the link below I see it's possible to use my approach,
>> except the ipaddr thing is making stuff difficult.
>> > https://networkradius.com/doc/3.0.10/raddb/sites-available/home.html
>>
>>   No, that page does *not* said it's possible to use your approach.  it
>> says each client can use it's own virtual server.  It does *not* say that
>> you can list the same IP address for multiple clients.
>>
>> > So is there a way to have multiple clients authenticate from the same
>> IP address (each referring to another virtual server) without listing on
>> multiple tcp/udp ports?
>>
>>   No.  RADIUS doesn't work like that.
>>
>>   Think of it this way: how does the RADIUS server tell that the packet
>> is from client 1 versus from client 2?  What part of the configuration you
>> edited allows the server to make that distinction?
>>
>>   i.e. what piece of information lets the server tell the two packets
>> apart?
>>
>>   The answer is "nothing".  Therefore, what you're doing won't work.
>>
>>   Have the server listen on multiple ports, and configure different
>> clients to use different ports.
>>
>>   Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html