Nas identifier to authenticate users instead of IP address?
-
The default method of freeradius identifying the source Access-Request packets requests is using IP addresses. But as many of you know, A lot of people don't have IP static addresses.
IMHO, A workaround this problem could be to modify freeradius source code to use the NAS identifier + radius secret to authenticate (instead of source ip address+ radius secret)
However, As per
- https://www.dialogic.com/webhelp/BorderNet2020/1.1.0/WebHelp/radatt_nasidentifier.htm
- https://community.arubanetworks.com/t5/Controller-Based-WLANs/What-is-NAS-id-and-how-to-use-it/ta-p/239345
They say :
NAS-Identifier MUST NOT be used to select the shared secret used to authenticate the request. The source IP address of the Access-Request packet MUST be used to select the shared secret.
Can anyone tell me why not? what are the security implications (if any).
Even a company as big / popular as hotspot systems uses NAS identifier to identify client routers / NAS devices
Quick search on google mentions why NOT to do it, but does not explain the "WHY" of it.
Thanks!
-
@YQ:
Can anyone tell me why not? what are the security implications (if any).
That a good question ; it would be best if you asked it on a specialized Free-radius forum.
@YQ:
Even a company as big / popular as hotspot systems uses NAS identifier to identify client routers / NAS devices
Their controlled AP's use VPN connections - the comm is secured, the IP is fixed ;)
-
Thanks for your answer. Maybe I should post one there too.
Their controlled AP's use VPN connections - the comm is secured, the IP is fixed
Not really. They specifically use nas identifiers to identify hotspots. (did a search on their site using google's "site:" parameter)
-
@YQ:
…..
Not really. They specifically use nas identifiers to identify hotspots. (did a search on their site using google's "site:" parameter)Of course they use the NAS.
And the IP …. and who knows what more.
I have the technical doc from these guys http://www.passman-hotels.com/ (a portal operator in France) and their AP's are using VPN's.
Or maybe they use a Radius server build for their own needs. I can't tell (and they won't tell me ^^).