Authorising Clients by Calling Station ID Not IP

JennyBlunt jennyshoehorn at
Mon Oct 24 21:45:50 CEST 2011

Hello Phil

I guess we don't need a per NAS secret but thought it might help block any customers we don't need.

We have a load of wifi hotspots on dynamic ips. We know all their nas ids, but not their ip addresses. That's the main reason for it. I guess the other way would be to use hunt groups or a network id to allow / disallow clients instead of worrying about the nas?


On 24 Oct 2011, at 20:42, Phil Mayers [via FreeRadius] wrote:

> On 10/24/2011 08:06 PM, Jennyanydots Napoleon Shoehorn wrote: 
> > The ultimate intention was to use the mac address of the nas and a nas 
> > specific shared secret. 
> Do you really need a per-NAS secret? 
> > 
> > In your opinion, are there better ways to deal with dynamic clients? 
> "It depends". Can you describe your setup in any detail? 
> If you've got untrusted clients on IP addresses you don't control and 
> can't know ahead of time, then it's really hard. The best solution is 
> "don't do that". 
> If your NAS and network topology support it, things like VPN tunnels 
> from NAS->radius server with IP assignment might be one option. 
> - 
> List info/subscribe/unsubscribe? See
> If you reply to this email, your message will be added to the discussion below:
> To unsubscribe from Authorising Clients by Calling Station ID Not IP, click here.

View this message in context:
Sent from the FreeRadius - User mailing list archive at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list