Search code examples
freeradius

Freeradisu allow requests based on NAS-IDENTIFIER

I am running FreeRADIUS Version 2.2.8. All of my NAS clients are on dynamic IP addresses from different ISP's, Therefore I would like to to Allow requests based on NAS-identifier rather then NAS IP?

Appreciate if someone can post hints or examples.

Solution

  • This is not possible with FreeRADIUS v3.0.x, as all clients are indexed on either IPv4 or IPv6 address, and FreeRADIUS does not decode packets until it has found a valid client.

    FreeRADIUS v4.0.x will likely support this, but the work hasn't been completed yes as far as I'm aware.

    Your main options are:

    • Define a client for 0.0.0.0/0 and used the same shared secret everywhere.
    • Colocate a RADSEC (RADIUS over TLS) Proxy on the same box as the access points, or in the same network, and use that to wrap the UDP RADIUS packets.
    • Buy NAS with RADSEC support built in.