NAS-Identifier instead of IP

Wed Jul 27 07:03:58 CEST 2011

I have seen several requests in this mailing list regarding the use of the
NAS-Identifier for the past 8 or so years.
But somehow, there seems to be still no solution on the horizon.

The addition of the dynamic client feature provided great relief compared to
the static client/nas list which is only loaded during the radiusd startup
or SIGHUP.

Anyhow, I still have the problem that clients using ISPs with shared IP
addresses (e.g. some satellite providers etc) have to use exactly the same
shared secret for all routers (nas) despite they might be different
customers.

In addition, we have clients with the nas installed on vessels and they roam
between different satellite links and IP addresses.
At times vessels from different companies are using the same IP address at
the same time.

In my test setup I am now using dynamic clients with sql and rlm_raw on FR
2.1.11. I am extracting the NAS-Identifier within 'dynamic-clients':

if ("%{sql: SELECT nas_identifier FROM phs_nas WHERE nas_identifier =
'%{raw:NAS-Identifier}'}") {

This works fine as only a nas with the correct NAS-Identifier will be
allowed.
After the first Access-Request the IP address of the NAS is added to the
(memory resident) client/nas list.

In my sql nas table I like to use the NAS-Identifier instead of the IP
address (at least that is my intention).

The standard scenario is working fine using the NAS-Identifier:

rad_recv: Access-Request packet from host 192.168.25.215 port 49481, id=39,
length=222
Wed Jul 27 04:25:18 2011 : Debug: server dynamic_client_server {
Wed Jul 27 04:25:18 2011 : Debug: rlm_raw: (raw_xlat)
Wed Jul 27 04:25:18 2011 : Debug: rlm_raw: NAS-Identifier = myTestID123
Wed Jul 27 04:25:18 2011 : Debug: rlm_sql_mysql: query:   SELECT nasname
FROM phs_nas WHERE nasname = 'myTestID123'
...
Wed Jul 27 04:25:18 2011 : Debug: } # server dynamic_client_server
Wed Jul 27 04:25:18 2011 : Debug: - Added client 192.168.25.215 with shared
secret HereIsMySharedSecret1
rad_recv: Access-Request packet from host 192.168.25.215 port 49481, id=39,
length=222
        User-Name = " myuser"
        NAS-Identifier = "myTestID123"
...
Wed Jul 27 04:25:19 2011 : Info: ++[exec] returns noop
Sending Access-Accept of id 39 to 192.168.25.215 port 49481

Here comes the problem!
Now radiusd receives a request from a different client/NAS, but with the
same IP address: 
Since the IP is already in the memory resident client/nas list, there is no
need to search the database again.
The different NAS-Identifier and different shared secret is ignored and the
Access-Request is accepted.

rad_recv: Access-Request packet from host 192.168.25.215 port 53237, id=42,
length=222
        User-Name = "thisUser "
        NAS-Identifier = "myTestID456"
...
Sending Access-Accept of id 42 to 192.168.25.215 port 53237

While the request (id=42) is getting through, the reply is using a different
shared secret, the one found in the first access-request (id=39) and the
reply will therefore not be accepted by the nas and the NAS log shows:
RADIUS server is not responding

My conclusion: I like to use the e.g. NAS-Identifier for a unique
identification of a client/nas instead of the IP.

I do not want to change anything on the client side (e.g. vpn etc.). All
client/nas have to use unique NAS-Identifiers and Shared Secrets which is
easy to achieve during setup.

Any hints using FreeRadius with the NAS-Identifier in this context are
appreciated!

Or if FreeRadius cannot support this, are there other Radius server which
could do this job?

Is there by chance anywhere Freeradius developer documentation available or
is the 'documented' source code the documentation?

Thank you!