NAS-Identifier instead of IP
Alan DeKok
aland at deployingradius.com
Wed Jul 27 08:27:18 CEST 2011
Gunther wrote:
> Anyhow, I still have the problem that clients using ISPs with shared IP
> addresses (e.g. some satellite providers etc) have to use exactly the same
> shared secret for all routers (nas) despite they might be different
> customers.
>
> In addition, we have clients with the nas installed on vessels and they roam
> between different satellite links and IP addresses.
> At times vessels from different companies are using the same IP address at
> the same time.
The only real solution is a secure transport protocol.
Install FR on each system, and use RADIUS over TLS. That solves both
the "re-use IP" and the "end system identity" problem.
> Here comes the problem!
...
> While the request (id=42) is getting through, the reply is using a different
> shared secret, the one found in the first access-request (id=39) and the
> reply will therefore not be accepted by the nas and the NAS log shows:
> RADIUS server is not responding
Exactly. RADIUS requires a unique IP for every client.
> My conclusion: I like to use the e.g. NAS-Identifier for a unique
> identification of a client/nas instead of the IP.
You can come up with horrible hacks, or you can use crypto.
> Any hints using FreeRadius with the NAS-Identifier in this context are
> appreciated!
Edit the source code.
> Or if FreeRadius cannot support this, are there other Radius server which
> could do this job?
I'm not sure that *any* RADIUS server supports this.
> Is there by chance anywhere Freeradius developer documentation available or
> is the 'documented' source code the documentation?
All documentation ships with the server.
Alan DeKok.
More information about the Freeradius-Devel
mailing list