Dynamic Clients
Phil Mayers
p.mayers at imperial.ac.uk
Thu Aug 14 12:02:18 CEST 2014
On 14/08/14 10:48, Alan DeKok wrote:
>> I do appreciate that RFC2865 states that is MUST NOT be used, but that
>> was back in 2000, when Cloud and SaaS hosting didn't exist.
>
> It's really about security. If you need random clients connecting to
> your server, you should be using RADIUS over TLS.
Just to expand on this - NAS-IP-Address is of course a payload
attribute. Reading it requires parsing the packet. Parsing data from an
untrusted source is best avoided.
If FreeRADIUS could do this, the packet parsing would have to be
two-pass - decode without authenticator (because you lack the secret),
extract NAS-IP-Address, find client/secret, then validate authenticator
/ Message-Authenticator, and decide to drop or pass and decrypt
encrypted fields.
More information about the Freeradius-Users
mailing list