Using NAS identifier instead of IP address
Yusuf
yusuf at techluminati.com
Mon Jun 19 07:32:54 CEST 2017
The default method of freeradius identifying the source Access-Request
packets requests is using IP addresses. But as many of you know, A lot
of people don't have IP static addresses.
IMHO, A workaround this problem could be to modify freeradius source
code to use the NAS identifier + radius secret to authenticate (instead
of source ip address+ radius secret)
However, As per
1)
https://www.dialogic.com/webhelp/BorderNet2020/1.1.0/WebHelp/radatt_nasidentifier.htm
2)
https://community.arubanetworks.com/t5/Controller-Based-WLANs/What-is-NAS-id-and-how-to-use-it/ta-p/239345
They say :
Code: [Select]
NAS-Identifier MUST NOT be used to select the shared secret used to
authenticate the request. The source IP address of the Access-Request
packet MUST be used to select the shared secret.
Can anyone tell me why not? what are the security implications (if any).
Quick search on google mentions why NOT to do it, but does not explain
the "WHY" of it.
Thanks!
More information about the Freeradius-Users
mailing list