2015-03-26 14:49 GMT+01:00 James Wood <james.wood@purplewifi.com>:
Hi Ben
I use the rewrite.called_station_id in the sites-enabled/default file in the relevant places and that works fine, but this particular question is regarding the sites-enabled/dynamic-clients file authorize section.
Yes, sorry, my fault. Wasn't aware about the special behaviour of the "dynamic-clients" server name before. Can you please post your sites-enabled/dynamic-clients file as well as the structure of an entry in the nas table filled with example data? 2015-03-26 15:32 GMT+01:00 James Wood <james.wood@purplewifi.com>:
You are describing about a perfect scenario where customers will do as you ask.
When you are not supplying the kit to customers, and they are big enterprise level customers, they will not install anything 3rd party in their existing network. You try getting them to install an extra piece of kit they don't know anything about ;) They won't do it.
That's true for big enterprises but those already have the hardware and software to do VPN or use services like DynDNS or already have hardware that submits the data in the correct format. Small customers does not but are more likely willed to install a kit. Regardless of the size of your customers you really should have "minimum requirements" they have to meet. They then can decide if they want to install a kit you've provided or if they want to buy hardware which meets these requirements themselves.
So we have two options, work with what they have, or drop them as a customer.
As I said, there is no choice when we do not control/own their network, we have to (sadly) work with what they have. No two systems are the same and we try to cater for them all.
I know that and understand your problem. However with that behaviour you're just weakening your service security. Soon you maybe have to allow Radius clients from 0.0.0.0 because of the diversity of NAS submitted data and that means a huge vulnerability. In case the Radius gets DDoSed your customers either wouldn't get their consumers data updated or their hotspot would be offline. And in case the Radius gets hacked your customers data could get modified or extracted and published / abused. The result is always the same: very angry customers and you'll make the news. I guess you are aware of that but your boss - who made the decision to "allow everybody" - is not. Whatsoever, if being more secure isn't a solution at all I'll wait for your reply with the requested data and think about the most secure solution to get your problem solved.