4. Nas identifier to authenticate users instead of IP address?

Nas identifier to authenticate users instead of IP address?

  • N

    The default method of freeradius identifying the source Access-Request packets requests is using IP addresses. But as many of you know, A lot of people don't have IP static addresses.

    IMHO, A workaround this problem could be to modify freeradius source code to use the NAS identifier + radius secret to authenticate (instead of source ip address+ radius secret)

    However, As per

    1. https://www.dialogic.com/webhelp/BorderNet2020/1.1.0/WebHelp/radatt_nasidentifier.htm
    2. https://community.arubanetworks.com/t5/Controller-Based-WLANs/What-is-NAS-id-and-how-to-use-it/ta-p/239345

    They say :

    NAS-Identifier MUST NOT be used to select the shared secret used to authenticate the request. The source IP address of the Access-Request packet MUST be used to select the shared secret.

    Can anyone tell me why not? what are the security implications (if any).

    Even a company as big / popular as hotspot systems uses NAS identifier to identify client routers / NAS devices

    Quick search on google mentions why NOT to do it, but does not explain the "WHY" of it.

    Thanks!

    0

  • @YQ:

    Can anyone tell me why not? what are the security implications (if any).

    That a good question ; it would be best if you asked it on a specialized Free-radius forum.

    @YQ:

    Even a company as big / popular as hotspot systems uses NAS identifier to identify client routers / NAS devices

    Their controlled AP's use VPN connections - the comm is secured, the IP is fixed ;)

    0
  • N

    Thanks for your answer. Maybe I should post one there too.

    Their controlled AP's use VPN connections - the comm is secured, the IP is fixed

    Not really. They specifically use nas identifiers to identify hotspots. (did a search on their site using google's "site:" parameter)

    0

  • @YQ:

    …..
    Not really. They specifically use nas identifiers to identify hotspots. (did a search on their site using google's "site:" parameter)

    Of course they use the NAS.
    And the IP …. and who knows what more.
    I have the technical doc from these guys http://www.passman-hotels.com/ (a portal operator in France) and their AP's are using VPN's.
    Or maybe they use a Radius server build for their own needs. I can't tell (and they won't tell me ^^).

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy