Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Nas identifier to authenticate users instead of IP address?

    Scheduled Pinned Locked Moved Captive Portal
    4 Posts 2 Posters 764 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      geek00990
      last edited by

      The default method of freeradius identifying the source Access-Request packets requests is using IP addresses. But as many of you know, A lot of people don't have IP static addresses.

      IMHO, A workaround this problem could be to modify freeradius source code to use the NAS identifier + radius secret to authenticate (instead of source ip address+ radius secret)

      However, As per

      1. https://www.dialogic.com/webhelp/BorderNet2020/1.1.0/WebHelp/radatt_nasidentifier.htm
      2. https://community.arubanetworks.com/t5/Controller-Based-WLANs/What-is-NAS-id-and-how-to-use-it/ta-p/239345

      They say :

      NAS-Identifier MUST NOT be used to select the shared secret used to authenticate the request. The source IP address of the Access-Request packet MUST be used to select the shared secret.

      Can anyone tell me why not? what are the security implications (if any).

      Even a company as big / popular as hotspot systems uses NAS identifier to identify client routers / NAS devices

      Quick search on google mentions why NOT to do it, but does not explain the "WHY" of it.

      Thanks!

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by

        @YQ:

        Can anyone tell me why not? what are the security implications (if any).

        That a good question ; it would be best if you asked it on a specialized Free-radius forum.

        @YQ:

        Even a company as big / popular as hotspot systems uses NAS identifier to identify client routers / NAS devices

        Their controlled AP's use VPN connections - the comm is secured, the IP is fixed ;)

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • G
          geek00990
          last edited by

          Thanks for your answer. Maybe I should post one there too.

          Their controlled AP's use VPN connections - the comm is secured, the IP is fixed

          Not really. They specifically use nas identifiers to identify hotspots. (did a search on their site using google's "site:" parameter)

          1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan
            last edited by

            @YQ:

            …..
            Not really. They specifically use nas identifiers to identify hotspots. (did a search on their site using google's "site:" parameter)

            Of course they use the NAS.
            And the IP …. and who knows what more.
            I have the technical doc from these guys http://www.passman-hotels.com/ (a portal operator in France) and their AP's are using VPN's.
            Or maybe they use a Radius server build for their own needs. I can't tell (and they won't tell me ^^).

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.