rsg wrote:
I find that FreeRadius server allows access even without either of the mandatory attributes i.e. NAS-Identifier or NAS-IP-Address in the Access Request packet.
Is this a deviation from RFC 2865 ?
No.
" .....An Access-Request SHOULD contain a User-Name attribute. It MUST contain either a NAS-IP-Address attribute or a NAS-Identifier attribute (or both)."
Can someone clarify this please?
It is a requirement on *client* implementations. It has no meaning for a RADIUS server. What do you suggest that a RADIUS server do if it receives a "non-compliant" packet? Discard it? Reject it? ... FreeRADIUS enforces security requirements. Nearly all of the other "MUST" statements are meant as "this is good practice". They can therefore be ignored. And they often *need* to be ignored for inter-operability with horrible vendor equipment. Alan DeKok.