NAS-Identifier instead of IP

Gunther freeradius at
Wed Jul 27 09:32:10 CEST 2011

Alan DeKok wrote:
>   The only real solution is a secure transport protocol.

Trying to avoid the 'BIG' change as this would imply that all routers have
to be modified and they have to support this feature.

>   Install FR on each system, and use RADIUS over TLS.  That solves both
> the "re-use IP" and the "end system identity" problem.

Not a viable option really as I would have to install/maintain too many FR
servers and I try to avoid the TLS overhead.

>   Exactly.  RADIUS requires a unique IP for every client.

Yep, that is the current solution (and problem).

> > My conclusion: I like to use the e.g. NAS-Identifier for a unique
> > identification of a client/nas instead of the IP.
>   You can come up with horrible hacks, or you can use crypto.

Working on the 'horrible hacks' ...

> > Any hints using FreeRadius with the NAS-Identifier in this context
> are
> > appreciated!
>   Edit the source code.

I'll give it a try.

>   All documentation ships with the server.

Thought so ;-)

Thanks Alan!

Maybe 'FreeDiameter' will provide the functionality ...


More information about the Freeradius-Devel mailing list