Dropping NAS-Port AVP from Acct-Unique-Session-Id by default

Nick Lowe nick.lowe at gmail.com
Fri Sep 18 15:50:59 CEST 2015


Yes, of course it can be used but the point that I was trying to make
is that it is decoupled/unrelated because it is not required. Full EAP
auth can-and-does take place during re-authentication for some
clients, often depending on config. It occurs at a different layer of
abstraction. (This is secure and reliable where it does take place.)

The User-Name and the Calling-Station-Id are values supplied by a
client so they cannot be blindly trusted. Another STA/client can spoof
these which would conceptually result in the same Class attribute
being returned. It is fundamentally something that is not a robust
primitive to be relied upon therefore.

Regards,

Nick


More information about the Freeradius-Users mailing list