Dynamic Clients

Phil Mayers p.mayers at imperial.ac.uk
Thu Aug 14 12:02:18 CEST 2014

On 14/08/14 10:48, Alan DeKok wrote:

>> I do appreciate that RFC2865 states that is MUST NOT be used, but that
>> was back in 2000, when Cloud and SaaS hosting didn't exist.
>    It's really about security.  If you need random clients connecting to
> your server, you should be using RADIUS over TLS.

Just to expand on this - NAS-IP-Address is of course a payload 
attribute. Reading it requires parsing the packet. Parsing data from an 
untrusted source is best avoided.

If FreeRADIUS could do this, the packet parsing would have to be 
two-pass - decode without authenticator (because you lack the secret), 
extract NAS-IP-Address, find client/secret, then validate authenticator 
/ Message-Authenticator, and decide to drop or pass and decrypt 
encrypted fields.

More information about the Freeradius-Users mailing list