public secret and public radius server. Is it secure?

Alan DeKok aland at
Mon Jun 5 06:19:47 CEST 2006

sophana <sophana at> wrote:
> Both the Access Request and Accounting Request MUST have the  
> NAS-IP-Address 
> <> attribute or 
> a NAS-Identifier  
> <> attribute 
> (or both).
> Does this mean that ALL packets sent from client contains at least one 
> of these 2 attributes?


> So does this mean that the radius server could lookup in its database a 
> secret according to one of these attributes instead of the ip address?

  In theory, yes.  In practice, this permits additional attacks that
can compromise your server.

  Please read clients.conf, and implement my suggestion for using
shared secrets for an entire network.  It's by far and away the best

  Alan DeKok.

More information about the Freeradius-Users mailing list