That constraint is still there in v3.0.x. Why would you want to add a client that doesn't match the src IP address of the packet you just received?
Because the NASes will be NATted over the internet, the real IP might be a private RFC1918 address, but the source IP address will be a public IP. Multiple NASes would be seen as the same public IP address but have their own NAS-IP-Address values. Ok message understood. I'll stick with one secret for all clients (per virutal server at least), then use the radcheck query to check per nas based on NAS-IP-Address, which is available and safe as the packet will have passed the 'known secret' stage. I can live with this. And then I don't need the rlm_raw module, so a less hacky build. Cheers for all your input, Kev/.