Dynamic clients and NAS-Identifier

Alan DeKok aland at deployingradius.com
Wed May 20 11:04:52 CEST 2009

Johan Meiring wrote:
> I realise, i've asked for the before, and it is on your todo list, but
> I'd like to make a case again for maybe getting it moved up higher onto
> the list.

  My "to do" list right now is:

- consulting work (my *only* source of income is FreeRADIUS)

- 3 IETF documents that I'm author / co-author

- White paper for a linux conference

> The current "clients" structure identify the NAS's by ip address.
> While this is perfect for corporate environments, it is not so perfect
> for the hotspot environment in which we operate.

  RADIUS was never designed to work that way.  It's insecure.

  One of the documents I'm writing involves leveraging SSL to allow that
capability.  But implementations are a long ways out.

> We need to somehow authenticate the nas, so someone can not send "rough"
> accounting info to radius.

  You could always write a simple RADIUS proxy that did those checks.
It likely could be done in ~200-300 lines of Perl.

> I'm sure that I'm not the only one that have NAS's behind dynamic IPs,
> and this would make radius traffic from such NAS's much more secure.


 Alan DeKok.

More information about the Freeradius-Users mailing list