[RADIATOR] Multiple secrets per client definition?

Leigh Porter leigh.porter at ukbroadband.com
Mon Apr 19 03:57:15 CDT 2010



If you could not have multiple secrets here is what I would do:

Move the current RADIUS server to differant ports.
Use Linux iptables to do port mapping.

Setup another RADIUS server on the same host using differant ports with 
the new secret.

Then as you move clients to the new secret you can modify iptables to 
direct traffic fro those clients to the new RADIUS server.

When all clients are modified, you can then turn off the old server, 
remove the portmaps and move the new RADIUS server to the original prots.

--
Leigh


On 19/04/10 09:49, Jacob Rohlff wrote:
>
> Hi.
>
> I’ve searched through the mail archive, but haven’t found anything 
> that could help me, I’m sorry if this has already been dealt with.
>
> We are running Radiator 4.6 on Red Hat Linux.
>
> Is it possible to have more than one secret per client definition? So 
> if a device uses either of the secrets it will be able to authenticate 
> successfully?
>
> For example, if you need to change your client secret for some reason 
> (i.e. audit found the secret to be too short or not complex enough) 
> and you want a smooth transition for the devices which are using 
> Radiator to authenticate, allowing them to use either secrets for a 
> while, until all devices use the new secret, then remove the old 
> secret from the Radiator config.
>
> In this case however, the request might just be for the same client 
> definition to allow several secrets.
>
> Our client definition looks like this:
>
> <Client DEFAULT>
>
>       Secret <something>
>
>       Identifier Default
>
> </Client>
>
> So every device/client has the same identifier.
>
> Creating several client definitions to separate the IP subnets would 
> be one way to gradually have the clients use the new secret, however 
> this would still require the Radiator config to be changed at the same 
> time as the client’s radius settings is changed (for the devices in 
> the affected IP subnet).
>
> Is there another practical way to change secret - without the clients 
> losing the ability to authenticate until their radius config is changed?
>
> Kind regards.
>
> Jacob Rohlff
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20100419/3bbfb112/attachment.html 


More information about the radiator mailing list