Access-Request / Mandatory Attributes

Jeffrey Hutzelman jhutz at cmu.edu
Thu Jan 7 23:36:41 CET 2010


--On Thursday, December 24, 2009 10:32:24 AM +0100 rsg 
<ranil.santhish at gmail.com> wrote:

> Hi,
>
> I find that FreeRadius server allows access even without either of the
> mandatory attributes i.e. NAS-Identifier or NAS-IP-Address in the
> Access Request packet.
>
> Is this a deviation from RFC 2865 ?
>
> " .....An Access-Request SHOULD contain a User-Name attribute.  It
> MUST contain either a NAS-IP-Address attribute or a NAS-Identifier
> attribute (or both)."
>
> Can someone clarify this please?

No.  That paragraph expresses a requirement for compliant NAS's; it does 
not specify the behaviour of a RADIUS server.  There is nothing in 2865 
which requires a RADIUS server to reject a request which does not contain 
one of these attributes.  In fact, a server which behaved that way would 
exhibit interoperability problems (though I can't say how serious), since 
previous versions of the RADIUS spec did not require these attributes to be 
present.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
   Carnegie Mellon University - Pittsburgh, PA




More information about the Freeradius-Devel mailing list