Using NAS identifier instead of IP address

Alan DeKok aland at
Mon Jun 19 13:56:25 CEST 2017

On Jun 19, 2017, at 1:32 AM, Yusuf <yusuf at> wrote:
> The default method of freeradius identifying the source Access-Request packets requests is using IP addresses. But as many of you know, A lot of people don't have IP static addresses.
> IMHO, A workaround this problem could be to modify freeradius source code to use the NAS identifier + radius secret to authenticate (instead of source ip address+ radius secret)

  The standard way to fix the problem is to use IPSec, or RADIUS over TLS.

> However, As per
> 1)
> 2)

  Why are you looking at random third-party web sites?

  There are standards which explain RADIUS.  RFC 6614, for example, which is RADIUS over TLS. These standards explain not only *how* the standard works, but *why*.

> They say :
> Code: [Select]
> NAS-Identifier MUST NOT be used to select the shared secret used to authenticate the request. The source IP address of the Access-Request packet MUST be used to select the shared secret.
> Can anyone tell me why not? what are the security implications (if any).

  Are you willing to let anyone on the net send RADIUS packets to your RADIUS server?

  Alan DeKok.

More information about the Freeradius-Users mailing list