How to use rewrite.called_station_id IN dynamic clients authorize section

Ben Humpert ben at an3k.de
Thu Mar 26 16:50:39 CET 2015


2015-03-26 14:49 GMT+01:00 James Wood <james.wood at purplewifi.com>:
> Hi Ben
>
> I use the rewrite.called_station_id in the sites-enabled/default file in the relevant places and that works fine, but this particular question is regarding the sites-enabled/dynamic-clients file authorize section.

Yes, sorry, my fault. Wasn't aware about the special behaviour of the
"dynamic-clients" server name before.

Can you please post your sites-enabled/dynamic-clients file as well as
the structure of an entry in the nas table filled with example data?


2015-03-26 15:32 GMT+01:00 James Wood <james.wood at purplewifi.com>:
> You are describing about a perfect scenario where customers will do as you
> ask.
>
> When you are not supplying the kit to customers, and they are big enterprise
> level customers, they will not install anything 3rd party in their existing
> network. You try getting them to install an extra piece of kit they don't
> know anything about ;) They won't do it.

That's true for big enterprises but those already have the hardware
and software to do VPN or use services like DynDNS or already have
hardware that submits the data in the correct format. Small customers
does not but are more likely willed to install a kit.

Regardless of the size of your customers you really should have
"minimum requirements" they have to meet. They then can decide if they
want to install a kit you've provided or if they want to buy hardware
which meets these requirements themselves.

> So we have two options, work with what they have, or drop them as a
> customer.
>
> As I said, there is no choice when we do not control/own their network, we
> have to (sadly) work with what they have. No two systems are the same and we
> try to cater for them all.

I know that and understand your problem. However with that behaviour
you're just weakening your service security. Soon you maybe have to
allow Radius clients from 0.0.0.0 because of the diversity of NAS
submitted data and that means a huge vulnerability. In case the Radius
gets DDoSed your customers either wouldn't get their consumers data
updated or their hotspot would be offline. And in case the Radius gets
hacked your customers data could get modified or extracted and
published / abused. The result is always the same: very angry
customers and you'll make the news.
I guess you are aware of that but your boss - who made the decision to
"allow everybody" - is not.


Whatsoever, if being more secure isn't a solution at all I'll wait for
your reply with the requested data and think about the most secure
solution to get your problem solved.


More information about the Freeradius-Users mailing list