Authorising Clients by Calling Station ID Not IP

Phil Mayers p.mayers at
Mon Oct 24 22:04:11 CEST 2011

On 10/24/2011 08:45 PM, JennyBlunt wrote:
> Hello Phil
> I guess we don't need a per NAS secret but thought it might help block
> any customers we don't need.
> We have a load of wifi hotspots on dynamic ips. We know all their nas

Ok, that's about the hardest case I'm afraid.

If you have the option of using something like a tunnel (IPSec) to bring 
the NASes into your network and give them local IPs I would take it.

If not, then an out-of-band solution might work.

There's no easy answer here I'm afraid. It will depend on the numbers 
and vendor of your NAS, the capabilities they have and lots of other 

In an ideal world, radius-over-TLS (RadSec) would solve this problem but 
it's basically guaranteed your NASes don't support it (nothing does yet, 
and possibly never will for NAS->Server traffic).

More information about the Freeradius-Users mailing list