Dynamic clients and NAS-Identifier
Ivan Kalik
tnt at kalik.net
Wed May 20 11:59:19 CEST 2009
> The problem is that the hotspots can be anywhere. They are mostly
> behind ADSL lines. The source ip address of the radius packet is
> therefore not predictable.
>
Ahem, it's not. But subnet is. There can't be that many IP pools ADSL
providers can use. And you configure the subnet, not exact IP in
dynamic-clients. Just make one for each ADSL pool.
> The only other way I can thing of is identifying the nas by the
> NAS-Identifier.
>
Why "other"? That's a bad idea.
> To sum up.
> Currently a nas is "authenticated" by ip address/radius secret.
> I feel that being able to "authenticate" a nas by nas identifier/radius
> secret is a very good enhancement.
>
> I'm sure that I'm not the only one that have NAS's behind dynamic IPs,
> and this would make radius traffic from such NAS's much more secure.
>
No, that would be less secure. Enhancement woud be to have NAS-Identifier
*on top* of Packet-Src-IP-Address. Then you could assign individual shared
secrets to each hotspot (at present whole range has to have same shared
secret).
Ivan Kalik
Kalik Informatika ISP
More information about the Freeradius-Users
mailing list