help-gnu-radius
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Help-gnu-radius] Q about handling NAS-IP-Address and NAS-Identifier

From: Sergey Poznyakoff
Subject: Re: [Help-gnu-radius] Q about handling NAS-IP-Address and NAS-Identifier .
Date: Thu, 24 Jun 2004 15:19:36 +0300 
Rahul Joshi <address@hidden> wrote:

>     Should the  NAS-IP-Address always have
> a value from list present in "etc/raddb/naslist"?

No, it is not required. 

> What behaviour is expected if I send an Access-Request with
> an IP address that is not present in the the naslist file?

The request will be processed as usual.

>    I this behaviour correct OR I am missing some configuration  of  GNU
> radius server to validate the NAS-IP-Address or NAS-Identifier?

This behavior is correct. Raddb/naslist is not related to validation of
the requesting IP addresses. This task is performed using raddb/clients
file (see
http://www.gnu.org/software/radius/manual/html_node/radius_43.html#SEC105).
If the requesting NAS IP is not listed there, or the request
authenticator does not match the shared key for this IP, such
request is dropped. Notice also that this check *does not* use
the value of NAS-IP-Address attribute. Instead it retrieves originator
IP address from the UDP packet header, as required by RFC 2865.

If you wish to segregate your NASes by the value of NAS-IP-Address or
NAS-Identifier, use raddb/hints. See

  http://www.gnu.org/software/radius/manual/html_node/radius_16.html#SEC19

Regards,
Sergey
reply via email to
[Prev in Thread] Current Thread [Next in Thread]