Re: [Help-gnu-radius] Q about handling NAS-IP-Address and NAS-Identifier .

[Rahul Joshi]

Sergey,
       Thanks for your reply.
Could you please  help me by explaining me the
significance of  NAS-IP-Address and NAS-Identifier .
What has confused me is the following sentence of RFC 2865,

Section : 5.4
Either NAS-IP-Address or NAS-Identifier MUST be present in an Access-Request
     packet.


Then what is the use if  NAS-IP-Address and NAS-Identifier then?

Regards.
-Rahul


Sergey Poznyakoff wrote:

> Rahul Joshi <address@hidden> wrote:
>
>  
>
> >    Should the  NAS-IP-Address always have
> > a value from list present in "etc/raddb/naslist"?
> >    
>
> No, it is not required. 
>
>  
>
> > What behaviour is expected if I send an Access-Request with
> > an IP address that is not present in the the naslist file?
> >    
>
> The request will be processed as usual.
>
>  
>
> >   I this behaviour correct OR I am missing some configuration  of  GNU
> > radius server to validate the NAS-IP-Address or NAS-Identifier?
> >    
>
> This behavior is correct. Raddb/naslist is not related to validation of
> the requesting IP addresses. This task is performed using raddb/clients
> file (see
> http://www.gnu.org/software/radius/manual/html_node/radius_43.html#SEC105).
> If the requesting NAS IP is not listed there, or the request
> authenticator does not match the shared key for this IP, such
> request is dropped. Notice also that this check *does not* use
> the value of NAS-IP-Address attribute. Instead it retrieves originator
> IP address from the UDP packet header, as required by RFC 2865.
>
> If you wish to segregate your NASes by the value of NAS-IP-Address or
> NAS-Identifier, use raddb/hints. See
>
>  http://www.gnu.org/software/radius/manual/html_node/radius_16.html#SEC19
>
> Regards,
> Sergey  
>     
>
>