<![CDATA[Nas identifier to authenticate users instead of IP address?]]>The default method of freeradius identifying the source Access-Request packets requests is using IP addresses. But as many of you know, A lot of people don't have IP static addresses.

IMHO, A workaround this problem could be to modify freeradius source code to use the NAS identifier + radius secret to authenticate (instead of source ip address+ radius secret)

However, As per

  1. https://www.dialogic.com/webhelp/BorderNet2020/1.1.0/WebHelp/radatt_nasidentifier.htm
  2. https://community.arubanetworks.com/t5/Controller-Based-WLANs/What-is-NAS-id-and-how-to-use-it/ta-p/239345

They say :

NAS-Identifier MUST NOT be used to select the shared secret used to authenticate the request. The source IP address of the Access-Request packet MUST be used to select the shared secret.

Can anyone tell me why not? what are the security implications (if any).

Even a company as big / popular as hotspot systems uses NAS identifier to identify client routers / NAS devices

Quick search on google mentions why NOT to do it, but does not explain the "WHY" of it.

Thanks!

]]>https://forum.netgate.com/topic/117060/nas-identifier-to-authenticate-users-instead-of-ip-addressRSS for NodeWed, 17 Jun 2026 04:23:40 GMTSun, 18 Jun 2017 18:17:15 GMT60<![CDATA[Reply to Nas identifier to authenticate users instead of IP address? on Mon, 19 Jun 2017 05:22:29 GMT]]>@YQ:

…..
Not really. They specifically use nas identifiers to identify hotspots. (did a search on their site using google's "site:" parameter)

Of course they use the NAS.
And the IP …. and who knows what more.
I have the technical doc from these guys http://www.passman-hotels.com/ (a portal operator in France) and their AP's are using VPN's.
Or maybe they use a Radius server build for their own needs. I can't tell (and they won't tell me ^^).

]]>https://forum.netgate.com/post/706463https://forum.netgate.com/post/706463Mon, 19 Jun 2017 05:22:29 GMT<![CDATA[Reply to Nas identifier to authenticate users instead of IP address? on Mon, 19 Jun 2017 05:17:21 GMT]]>Thanks for your answer. Maybe I should post one there too.

Their controlled AP's use VPN connections - the comm is secured, the IP is fixed

Not really. They specifically use nas identifiers to identify hotspots. (did a search on their site using google's "site:" parameter)

]]>https://forum.netgate.com/post/706461https://forum.netgate.com/post/706461Mon, 19 Jun 2017 05:17:21 GMT<![CDATA[Reply to Nas identifier to authenticate users instead of IP address? on Mon, 19 Jun 2017 05:13:34 GMT]]>@YQ:

Can anyone tell me why not? what are the security implications (if any).

That a good question ; it would be best if you asked it on a specialized Free-radius forum.

@YQ:

Even a company as big / popular as hotspot systems uses NAS identifier to identify client routers / NAS devices

Their controlled AP's use VPN connections - the comm is secured, the IP is fixed ;)

]]>https://forum.netgate.com/post/706460https://forum.netgate.com/post/706460Mon, 19 Jun 2017 05:13:34 GMT