Nas identifier to authenticate users instead of IP address?



  • The default method of freeradius identifying the source Access-Request packets requests is using IP addresses. But as many of you know, A lot of people don't have IP static addresses.

    IMHO, A workaround this problem could be to modify freeradius source code to use the NAS identifier + radius secret to authenticate (instead of source ip address+ radius secret)

    However, As per

    1. https://www.dialogic.com/webhelp/BorderNet2020/1.1.0/WebHelp/radatt_nasidentifier.htm
    2. https://community.arubanetworks.com/t5/Controller-Based-WLANs/What-is-NAS-id-and-how-to-use-it/ta-p/239345

    They say :

    NAS-Identifier MUST NOT be used to select the shared secret used to authenticate the request. The source IP address of the Access-Request packet MUST be used to select the shared secret.
    

    Can anyone tell me why not? what are the security implications (if any).

    Even a company as big / popular as hotspot systems uses NAS identifier to identify client routers / NAS devices

    Quick search on google mentions why NOT to do it, but does not explain the "WHY" of it.

    Thanks!



  • @YQ:

    Can anyone tell me why not? what are the security implications (if any).

    That a good question ; it would be best if you asked it on a specialized Free-radius forum.

    @YQ:

    Even a company as big / popular as hotspot systems uses NAS identifier to identify client routers / NAS devices

    Their controlled AP's use VPN connections - the comm is secured, the IP is fixed ;)



  • Thanks for your answer. Maybe I should post one there too.

    Their controlled AP's use VPN connections - the comm is secured, the IP is fixed

    Not really. They specifically use nas identifiers to identify hotspots. (did a search on their site using google's "site:" parameter)



  • @YQ:

    …..
    Not really. They specifically use nas identifiers to identify hotspots. (did a search on their site using google's "site:" parameter)

    Of course they use the NAS.
    And the IP …. and who knows what more.
    I have the technical doc from these guys http://www.passman-hotels.com/ (a portal operator in France) and their AP's are using VPN's.
    Or maybe they use a Radius server build for their own needs. I can't tell (and they won't tell me ^^).


Log in to reply