I have seen several requests in this mailing list regarding the use of the NAS-Identifier for the past 8 or so years. But somehow, there seems to be still no solution on the horizon. The addition of the dynamic client feature provided great relief compared to the static client/nas list which is only loaded during the radiusd startup or SIGHUP. Anyhow, I still have the problem that clients using ISPs with shared IP addresses (e.g. some satellite providers etc) have to use exactly the same shared secret for all routers (nas) despite they might be different customers. In addition, we have clients with the nas installed on vessels and they roam between different satellite links and IP addresses. At times vessels from different companies are using the same IP address at the same time. In my test setup I am now using dynamic clients with sql and rlm_raw on FR 2.1.11. I am extracting the NAS-Identifier within 'dynamic-clients': if ("%{sql: SELECT nas_identifier FROM phs_nas WHERE nas_identifier = '%{raw:NAS-Identifier}'}") { This works fine as only a nas with the correct NAS-Identifier will be allowed. After the first Access-Request the IP address of the NAS is added to the (memory resident) client/nas list. In my sql nas table I like to use the NAS-Identifier instead of the IP address (at least that is my intention). The standard scenario is working fine using the NAS-Identifier: rad_recv: Access-Request packet from host 192.168.25.215 port 49481, id=39, length=222 Wed Jul 27 04:25:18 2011 : Debug: server dynamic_client_server { Wed Jul 27 04:25:18 2011 : Debug: rlm_raw: (raw_xlat) Wed Jul 27 04:25:18 2011 : Debug: rlm_raw: NAS-Identifier = myTestID123 Wed Jul 27 04:25:18 2011 : Debug: rlm_sql_mysql: query: SELECT nasname FROM phs_nas WHERE nasname = 'myTestID123' ... Wed Jul 27 04:25:18 2011 : Debug: } # server dynamic_client_server Wed Jul 27 04:25:18 2011 : Debug: - Added client 192.168.25.215 with shared secret HereIsMySharedSecret1 rad_recv: Access-Request packet from host 192.168.25.215 port 49481, id=39, length=222 User-Name = " myuser" NAS-Identifier = "myTestID123" ... Wed Jul 27 04:25:19 2011 : Info: ++[exec] returns noop Sending Access-Accept of id 39 to 192.168.25.215 port 49481 Here comes the problem! Now radiusd receives a request from a different client/NAS, but with the same IP address: Since the IP is already in the memory resident client/nas list, there is no need to search the database again. The different NAS-Identifier and different shared secret is ignored and the Access-Request is accepted. rad_recv: Access-Request packet from host 192.168.25.215 port 53237, id=42, length=222 User-Name = "thisUser " NAS-Identifier = "myTestID456" ... Sending Access-Accept of id 42 to 192.168.25.215 port 53237 While the request (id=42) is getting through, the reply is using a different shared secret, the one found in the first access-request (id=39) and the reply will therefore not be accepted by the nas and the NAS log shows: RADIUS server is not responding My conclusion: I like to use the e.g. NAS-Identifier for a unique identification of a client/nas instead of the IP. I do not want to change anything on the client side (e.g. vpn etc.). All client/nas have to use unique NAS-Identifiers and Shared Secrets which is easy to achieve during setup. Any hints using FreeRadius with the NAS-Identifier in this context are appreciated! Or if FreeRadius cannot support this, are there other Radius server which could do this job? Is there by chance anywhere Freeradius developer documentation available or is the 'documented' source code the documentation? Thank you!