Dynamic clients and NAS-Identifier

Ivan Kalik tnt at kalik.net
Wed May 20 11:59:19 CEST 2009

> The problem is that the hotspots can be anywhere.  They are mostly
> behind ADSL lines.  The source ip address of the radius packet is
> therefore not predictable.

Ahem, it's not. But subnet is. There can't be that many IP pools ADSL
providers can use. And you configure the subnet, not exact IP in
dynamic-clients. Just make one for each ADSL pool.

> The only other way I can thing of is identifying the nas by the
> NAS-Identifier.

Why "other"? That's a bad idea.

> To sum up.
> Currently a nas is "authenticated" by ip address/radius secret.
> I feel that being able to "authenticate" a nas by nas identifier/radius
> secret is a very good enhancement.
> I'm sure that I'm not the only one that have NAS's behind dynamic IPs,
> and this would make radius traffic from such NAS's much more secure.

No, that would be less secure. Enhancement woud be to have NAS-Identifier
*on top* of Packet-Src-IP-Address. Then you could assign individual shared
secrets to each hotspot (at present whole range has to have same shared

Ivan Kalik
Kalik Informatika ISP

More information about the Freeradius-Users mailing list