Hi,
It would be nice if we could put a domain or URL in place of an IP. There are times when the IP could change and having to put an actual IP makes it difficult to chance every device we have deployed. (ie radius1.mydomain.com)
Sure it could be convenient. However, I would advise to deploy a VPN for management and authentication.
The bonus for cases like this is that you can have a fixed IP for your RADIUS server within the VPN.
But it also simplifies the correct firewalling against break-in attempts.
Use e.g openvpn with CA certs. We push out routes on a private IP range from openvpn. We then use an amazon ec2 instance with an elastic IP for freeradius.
That’s a great suggestion. As long as the router traffic is not routed through this VPN connection.
Of course. The VPN is used only for management and things like RADIUS. Keep it all in a local subnet e.g. under 10.x.x.x.
The actual user and internet traffic is routed directly.
Awesome! I have a Windows 2008 R2 Server that hosts my radius server. Will the build in windows VPN server work? Or do you recommend another that is free? I always seem to have issues with the windows VPN server connecting.
Put a MikroTik router on the network that includes the WIndows server and you can do all the VPN stuff
on the router. Just assign the Windows server an extra address in the VPN on a second LAN card or a VLAN.
(you can even do it on the normal LAN)