Dynamic clients and NAS-Identifier
jmeiring at pcservices.co.za
Wed May 20 12:37:05 CEST 2009
Ivan Kalik wrote:
>> The problem is that the hotspots can be anywhere. They are mostly
>> behind ADSL lines. The source ip address of the radius packet is
>> therefore not predictable.
> Ahem, it's not. But subnet is. There can't be that many IP pools ADSL
> providers can use. And you configure the subnet, not exact IP in
> dynamic-clients. Just make one for each ADSL pool.
The problem is that our product is:
Buy the hotspot. Install it.
We don't care where, as long as it has internet access.
To "steal" a quote from freeradius: It just works. :-)
I therefore cannot even predict the subnet.
>> The only other way I can thing of is identifying the nas by the
> Why "other"? That's a bad idea.
Don't understand what you mean.
>> To sum up.
>> Currently a nas is "authenticated" by ip address/radius secret.
>> I feel that being able to "authenticate" a nas by nas identifier/radius
>> secret is a very good enhancement.
>> I'm sure that I'm not the only one that have NAS's behind dynamic IPs,
>> and this would make radius traffic from such NAS's much more secure.
How many other people on the list has NAS'es behind dynamic IPs.
> No, that would be less secure. Enhancement woud be to have NAS-Identifier
> *on top* of Packet-Src-IP-Address. Then you could assign individual shared
> secrets to each hotspot (at present whole range has to have same shared
Agreed. Using both would be more secure.
I'm sure we can have a long debate over whether
Packet-Src-IP-Address/secret or NAS-Identifier/secret is more secure,
but that would probably be a waste of time.
Having NAS-Identifier on top of Packet-Src-IP-Address would still allow
me to do what I want.
You hit the nail on the head above. The problem is that a whole range
has to have the same secret.
Even if all my customers were behind the same DSL provider, and I
threfore have a reduced subnet for clients, they still have to have the
same secret, which means my radius secret becomes public knowledge!
I would be really great to be able to give each nas its own secret.
> Ivan Kalik
> Kalik Informatika ISP
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782
More information about the Freeradius-Users