Re: [RadiusNT] accepting auth/acct requests from many NASes
Dale E. Reed Jr. ( (no email) )
Mon, 28 Feb 2000 10:35:54 -0800
Josh Hillman wrote:
>
> How can RadiusNT / Emerald be set up to accept auth/acct requests from many
> NASes outside of our network?
>
> Presently, we have it set to accept only from our own NASes, but will be
> adding many from around the country (unknown IP addresses). The secret will
> be known, but obtaining the IP addresses could be a big problem. Is there a
> way to setting to allow all? Or do I need to add a new server and leave the
> IP address field blank (while having a valid secret) or what?
> Email addresses for all of these remote locations will be the same form that
> we already use locally (same domain name for everyone) for whatever that's
> worth. In other words, it's as if our own local users are simply dialing up
> from remote locations.
I do not recommend this, as it allows for a trivial DOS on your RADIUS
server. Are the NASes making the request, or a proxy server?
There are two registry settings:
IPCheck
GlobalSecret
that can do what you want. Set IPCheck to 0, and GlobalSecret to
whatever the secret is. If RadiusNT can't find the IP Address in
its list and the above is set to 0, then it will accept the request
and use the Global Secret.
Note: If you enable this, someone knowing your RADIUS server IP
address could simply use radlogin to create a DOS attack. Therefore,
think carefully before enabling it.
--
Dale E. Reed Jr. Emerald and RadiusNT__________________________________________IEA Software, Inc. www.iea-software.com
For more information about this list (including removal) go to:http://www.iea-software.com/support/maillists/liststart