> The problem is that the hotspots can be anywhere. They are mostly > behind ADSL lines. The source ip address of the radius packet is > therefore not predictable. >
Ahem, it's not. But subnet is. There can't be that many IP pools ADSL providers can use. And you configure the subnet, not exact IP in dynamic-clients. Just make one for each ADSL pool. > The only other way I can thing of is identifying the nas by the > NAS-Identifier. > Why "other"? That's a bad idea. > To sum up. > Currently a nas is "authenticated" by ip address/radius secret. > I feel that being able to "authenticate" a nas by nas identifier/radius > secret is a very good enhancement. > > I'm sure that I'm not the only one that have NAS's behind dynamic IPs, > and this would make radius traffic from such NAS's much more secure. > No, that would be less secure. Enhancement woud be to have NAS-Identifier *on top* of Packet-Src-IP-Address. Then you could assign individual shared secrets to each hotspot (at present whole range has to have same shared secret). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
