Dynamic clients and NAS-Identifier

[Johan Meiring]

Hi Alan,

I realise, i've asked for the before, and it is on your todo list, but 
I'd like to make a case again for maybe getting it moved up higher onto 
the list.

The current "clients" structure identify the NAS's by ip address.
While this is perfect for corporate environments, it is not so perfect 
for the hotspot environment in which we operate.

We have a central radius server for many different hotspot owners.
Hotspots are running chillispot.

We need to somehow authenticate the nas, so someone can not send "rough" 
accounting info to radius.

The only way to currently identify a NAS is by IP address. You can then 
lookup the NAS, and create a "radius secret" based on the IP address. 
This is done using the dynamic_clients virtual server.

The problem is that the hotspots can be anywhere.  They are mostly 
behind ADSL lines.  The source ip address of the radius packet is 
therefore not predictable.

The only other way I can thing of is identifying the nas by the 
NAS-Identifier.

To sum up.
Currently a nas is "authenticated" by ip address/radius secret.
I feel that being able to "authenticate" a nas by nas identifier/radius 
secret is a very good enhancement.

I'm sure that I'm not the only one that have NAS's behind dynamic IPs, 
and this would make radius traffic from such NAS's much more secure.

I'm prepared to do it myself, but by c skills really suck.  I can only 
do "copy and paste" type editing.

I've spent a few hours looking at the code, and it seems that (in 
listen.c) you need to create the "value pairs" somehow before sending 
the packet to  module_authorize, but I have no clue how to even attempt 
this.

I'm fully prepared to try and contribute somehow, but this is way out of 
my league.

Anyway, end of long story.  I simply hope to get this maybe moved a bit 
higher up on the todo list.

Thanks!!!


-- 


Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782