Hi Alan,
I realise, i've asked for the before, and it is on your todo list, but
I'd like to make a case again for maybe getting it moved up higher onto
the list.
The current "clients" structure identify the NAS's by ip address.
While this is perfect for corporate environments, it is not so perfect
for the hotspot environment in which we operate.
We have a central radius server for many different hotspot owners.
Hotspots are running chillispot.
We need to somehow authenticate the nas, so someone can not send "rough"
accounting info to radius.
The only way to currently identify a NAS is by IP address. You can then
lookup the NAS, and create a "radius secret" based on the IP address.
This is done using the dynamic_clients virtual server.
The problem is that the hotspots can be anywhere. They are mostly
behind ADSL lines. The source ip address of the radius packet is
therefore not predictable.
The only other way I can thing of is identifying the nas by the
NAS-Identifier.
To sum up.
Currently a nas is "authenticated" by ip address/radius secret.
I feel that being able to "authenticate" a nas by nas identifier/radius
secret is a very good enhancement.
I'm sure that I'm not the only one that have NAS's behind dynamic IPs,
and this would make radius traffic from such NAS's much more secure.
I'm prepared to do it myself, but by c skills really suck. I can only
do "copy and paste" type editing.
I've spent a few hours looking at the code, and it seems that (in
listen.c) you need to create the "value pairs" somehow before sending
the packet to module_authorize, but I have no clue how to even attempt
this.
I'm fully prepared to try and contribute somehow, but this is way out of
my league.
Anyway, end of long story. I simply hope to get this maybe moved a bit
higher up on the todo list.
Thanks!!!
--
Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
