Using NAS identifier instead of IP address

Yusuf yusuf at
Mon Jun 19 07:32:54 CEST 2017

The default method of freeradius identifying the source Access-Request 
packets requests is using IP addresses. But as many of you know, A lot 
of people don't have IP static addresses.

IMHO, A workaround this problem could be to modify freeradius source 
code to use the NAS identifier + radius secret to authenticate (instead 
of source ip address+ radius secret)

However, As per


They say :

Code: [Select]
NAS-Identifier MUST NOT be used to select the shared secret used to 
authenticate the request. The source IP address of the Access-Request 
packet MUST be used to select the shared secret.

Can anyone tell me why not? what are the security implications (if any).

Quick search on google mentions why NOT to do it, but does not explain 
the "WHY" of it.


More information about the Freeradius-Users mailing list