On 14/08/14 10:48, Alan DeKok wrote:
I do appreciate that RFC2865 states that is MUST NOT be used, but that was back in 2000, when Cloud and SaaS hosting didn't exist.
It's really about security. If you need random clients connecting to your server, you should be using RADIUS over TLS.
Just to expand on this - NAS-IP-Address is of course a payload attribute. Reading it requires parsing the packet. Parsing data from an untrusted source is best avoided. If FreeRADIUS could do this, the packet parsing would have to be two-pass - decode without authenticator (because you lack the secret), extract NAS-IP-Address, find client/secret, then validate authenticator / Message-Authenticator, and decide to drop or pass and decrypt encrypted fields.