sophana <sophana@zizi.ath.cx> wrote:
Both the Access Request and Accounting Request MUST have the NAS-IP-Address <http://www.freeradius.org/rfc/rfc2865.html#NAS-IP-Address> attribute or a NAS-Identifier <http://www.freeradius.org/rfc/rfc2865.html#NAS-Identifier> attribute (or both). Does this mean that ALL packets sent from client contains at least one of these 2 attributes?
Yes.
So does this mean that the radius server could lookup in its database a secret according to one of these attributes instead of the ip address?
In theory, yes. In practice, this permits additional attacks that can compromise your server. Please read clients.conf, and implement my suggestion for using shared secrets for an entire network. It's by far and away the best choice. Alan DeKok.