NAS-Identifier instead of IP
freeradius at caribsms.com
Wed Jul 27 09:32:10 CEST 2011
Alan DeKok wrote:
> The only real solution is a secure transport protocol.
Trying to avoid the 'BIG' change as this would imply that all routers have
to be modified and they have to support this feature.
> Install FR on each system, and use RADIUS over TLS. That solves both
> the "re-use IP" and the "end system identity" problem.
Not a viable option really as I would have to install/maintain too many FR
servers and I try to avoid the TLS overhead.
> Exactly. RADIUS requires a unique IP for every client.
Yep, that is the current solution (and problem).
> > My conclusion: I like to use the e.g. NAS-Identifier for a unique
> > identification of a client/nas instead of the IP.
> You can come up with horrible hacks, or you can use crypto.
Working on the 'horrible hacks' ...
> > Any hints using FreeRadius with the NAS-Identifier in this context
> > appreciated!
> Edit the source code.
I'll give it a try.
> All documentation ships with the server.
Thought so ;-)
Maybe 'FreeDiameter' will provide the functionality ...
More information about the Freeradius-Devel