NAS-IP vs srcIP

James J J Hooper jjj.hooper at
Thu Apr 1 23:12:09 CEST 2010

--On 01 April 2010 09:39 -0700 Marlon Duksa <mduksa at> wrote:

> Hi everyone -
> Can anyone think of a reason why the NAS-IP and the scr-IP of the
> access-req packet should not be the same?
> If the NAS-IP is configurable in the NAS, then the NAS-IP can be set to
> the IP address other than the src-ip of the NAS that is used in reqular
> FreeRadius accounting/authorization packets. The source IP address of the
> NAS is normally the native interface address from which access-req was
> sent (but it can be configurable).
> The NAS-IP would be used to address NAS in CoA requests sent from the
> FreeRadius. We need this behavior to address certain deployment
> requirements.

Radius proxying!

An incoming radius packet may come via a proxy. Therefore that packet's 
src.ip = the proxies IP.

The NAS-IP-Address attribute is set to whatever the NAS wants to send.

Whether you can address a COA to the NAS-IP-Address depends on whether:

* The NAS chose/was configured to send the IP it's COA listener is bound to 
in the NAS-IP-Address attribute.

* Whether you can access that IP/port directly - If your NAS is configured 
only to talk via a RADIUS proxy, and everything else is firewalled out, 
direct replies (COA or otherwise) won't work.


James J J Hooper
Network Specialist
Information Services
University of Bristol

More information about the Freeradius-Users mailing list