On 30/03/2017 13:44, Alan DeKok wrote:
I was thinking about using the NAS-ID or called-station-id to authenticate instead. The NAS-ID is in the rad_recv request so I'm figuring somehow it must be possible to use that? It's not possible.
If you have multiple NASes behind a NAT, then obviously you can't have different shared secrets for each one, but I don't think that's what the OP was asking. The question was "how I can base authentication on which NAS a user is trying to log in from?", which I took to mean "how can I make the authentication response vary depending on which NAS originated the radius request?" It is clearly possible to use NAS-Identifier for that purpose. Given the constraints in the original question, it seems like a reasonable solution to me. Regards, Brian.