NAS-Identifier instead of IP

Alan DeKok aland at
Wed Jul 27 08:27:18 CEST 2011

Gunther wrote:
> Anyhow, I still have the problem that clients using ISPs with shared IP
> addresses (e.g. some satellite providers etc) have to use exactly the same
> shared secret for all routers (nas) despite they might be different
> customers.
> In addition, we have clients with the nas installed on vessels and they roam
> between different satellite links and IP addresses.
> At times vessels from different companies are using the same IP address at
> the same time.

  The only real solution is a secure transport protocol.

  Install FR on each system, and use RADIUS over TLS.  That solves both
the "re-use IP" and the "end system identity" problem.

> Here comes the problem!
> While the request (id=42) is getting through, the reply is using a different
> shared secret, the one found in the first access-request (id=39) and the
> reply will therefore not be accepted by the nas and the NAS log shows:
> RADIUS server is not responding

  Exactly.  RADIUS requires a unique IP for every client.

> My conclusion: I like to use the e.g. NAS-Identifier for a unique
> identification of a client/nas instead of the IP.

  You can come up with horrible hacks, or you can use crypto.

> Any hints using FreeRadius with the NAS-Identifier in this context are
> appreciated!

  Edit the source code.

> Or if FreeRadius cannot support this, are there other Radius server which
> could do this job?

  I'm not sure that *any* RADIUS server supports this.

> Is there by chance anywhere Freeradius developer documentation available or
> is the 'documented' source code the documentation?

  All documentation ships with the server.

  Alan DeKok.

More information about the Freeradius-Devel mailing list