Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Nas identifier to authenticate users instead of IP address?

    Captive Portal
    2
    4
    507
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      namek last edited by

      The default method of freeradius identifying the source Access-Request packets requests is using IP addresses. But as many of you know, A lot of people don't have IP static addresses.

      IMHO, A workaround this problem could be to modify freeradius source code to use the NAS identifier + radius secret to authenticate (instead of source ip address+ radius secret)

      However, As per

      1. https://www.dialogic.com/webhelp/BorderNet2020/1.1.0/WebHelp/radatt_nasidentifier.htm
      2. https://community.arubanetworks.com/t5/Controller-Based-WLANs/What-is-NAS-id-and-how-to-use-it/ta-p/239345

      They say :

      NAS-Identifier MUST NOT be used to select the shared secret used to authenticate the request. The source IP address of the Access-Request packet MUST be used to select the shared secret.

      Can anyone tell me why not? what are the security implications (if any).

      Even a company as big / popular as hotspot systems uses NAS identifier to identify client routers / NAS devices

      Quick search on google mentions why NOT to do it, but does not explain the "WHY" of it.

      Thanks!

      1 Reply Last reply Reply Quote 0
      • Gertjan
        Gertjan last edited by

        @YQ:

        Can anyone tell me why not? what are the security implications (if any).

        That a good question ; it would be best if you asked it on a specialized Free-radius forum.

        @YQ:

        Even a company as big / popular as hotspot systems uses NAS identifier to identify client routers / NAS devices

        Their controlled AP's use VPN connections - the comm is secured, the IP is fixed ;)

        1 Reply Last reply Reply Quote 0
        • N
          namek last edited by

          Thanks for your answer. Maybe I should post one there too.

          Their controlled AP's use VPN connections - the comm is secured, the IP is fixed

          Not really. They specifically use nas identifiers to identify hotspots. (did a search on their site using google's "site:" parameter)

          1 Reply Last reply Reply Quote 0
          • Gertjan
            Gertjan last edited by

            @YQ:

            …..
            Not really. They specifically use nas identifiers to identify hotspots. (did a search on their site using google's "site:" parameter)

            Of course they use the NAS.
            And the IP …. and who knows what more.
            I have the technical doc from these guys http://www.passman-hotels.com/ (a portal operator in France) and their AP's are using VPN's.
            Or maybe they use a Radius server build for their own needs. I can't tell (and they won't tell me ^^).

            1 Reply Last reply Reply Quote 0
            • First post
              Last post

            Products

            • Platform Overview
            • TNSR
            • pfSense
            • Appliances

            Services

            • Training
            • Professional Services

            Support

            • Subscription Plans
            • Contact Support
            • Product Lifecycle
            • Documentation

            News

            • Media Coverage
            • Press
            • Events

            Resources

            • Blog
            • FAQ
            • Find a Partner
            • Resource Library
            • Security Information

            Company

            • About Us
            • Careers
            • Partners
            • Contact Us
            • Legal
            Our Mission

            We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

            Subscribe to our Newsletter

            Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

            © 2021 Rubicon Communications, LLC | Privacy Policy