Dynamic clients and NAS-Identifier

Johan Meiring jmeiring at pcservices.co.za
Wed May 20 12:37:05 CEST 2009 

Hi,

Ivan Kalik wrote:
>> The problem is that the hotspots can be anywhere.  They are mostly
>> behind ADSL lines.  The source ip address of the radius packet is
>> therefore not predictable.
>>
> 
> Ahem, it's not. But subnet is. There can't be that many IP pools ADSL
> providers can use. And you configure the subnet, not exact IP in
> dynamic-clients. Just make one for each ADSL pool.
> 

The problem is that our product is:

Buy the hotspot. Install it.
We don't care where, as long as it has internet access.

To "steal" a quote from freeradius:  It just works.  :-)

I therefore cannot even predict the subnet.

>> The only other way I can thing of is identifying the nas by the
>> NAS-Identifier.
>>
> 
> Why "other"? That's a bad idea.
> 

Don't understand what you mean.

>> To sum up.
>> Currently a nas is "authenticated" by ip address/radius secret.
>> I feel that being able to "authenticate" a nas by nas identifier/radius
>> secret is a very good enhancement.
>>
>> I'm sure that I'm not the only one that have NAS's behind dynamic IPs,
>> and this would make radius traffic from such NAS's much more secure.
>>

How many other people on the list has NAS'es behind dynamic IPs.

> 
> No, that would be less secure. Enhancement woud be to have NAS-Identifier
> *on top* of Packet-Src-IP-Address. Then you could assign individual shared
> secrets to each hotspot (at present whole range has to have same shared
> secret).
> 

Agreed.  Using both would be more secure.

I'm sure we can have a long debate over whether 
Packet-Src-IP-Address/secret or NAS-Identifier/secret is more secure, 
but that would probably be a waste of time.

Having NAS-Identifier on top of Packet-Src-IP-Address would still allow 
me to do what I want.

You hit the nail on the head above.  The problem is that a whole range 
has to have the same secret.

Even if all my customers were behind the same DSL provider, and I 
threfore have a reduced subnet for clients, they still have to have the 
same secret, which means my radius secret becomes public knowledge!

I would be really great to be able to give each nas its own secret.


> 
> Ivan Kalik
> Kalik Informatika ISP
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 


-- 


Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782

More information about the Freeradius-Users mailing list