Access-Request / Mandatory Attributes

Alan DeKok aland at deployingradius.com
Thu Dec 24 10:36:39 CET 2009


rsg wrote:
> I find that FreeRadius server allows access even without either of the
> mandatory attributes i.e. NAS-Identifier or NAS-IP-Address in the
> Access Request packet.
> 
> Is this a deviation from RFC 2865 ?

  No.

> " .....An Access-Request SHOULD contain a User-Name attribute.  It
> MUST contain either a NAS-IP-Address attribute or a NAS-Identifier
> attribute (or both)."
> 
> Can someone clarify this please?

  It is a requirement on *client* implementations.  It has no meaning
for a RADIUS server.

  What do you suggest that a RADIUS server do if it receives a
"non-compliant" packet?  Discard it?  Reject it? ...

  FreeRADIUS enforces security requirements.  Nearly all of the other
"MUST" statements are meant as "this is good practice".  They can
therefore be ignored.  And they often *need* to be ignored for
inter-operability with horrible vendor equipment.

  Alan DeKok.



More information about the Freeradius-Users mailing list