Re: [Help-gnu-radius] RE: Problem wiht NAS-Identifier

help-gnu-radius

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Help-gnu-radius] RE: Problem wiht NAS-Identifier

From:	Sergey Poznyakoff
Subject:	Re: [Help-gnu-radius] RE: Problem wiht NAS-Identifier
Date:	Thu, 08 Aug 2002 09:54:25 +0300

> NAS-Identifier, i'ts work pretty good. but is there anyway to make =
> NAS-Identifier work ?

It depends only on your NAS, namely whether it sends NAS-Identifier or
it does not. Notice the following:

1) RFC2865 requires that "Either NAS-IP-Address or NAS-Identifier MUST be
   present in an Access-Request packet". Thus, if your raddb/users
   profile works with NAS-IP-Address then it is *guaranteed not to work*
   with NAS-Identifier and vice-versa. Generally speaking it is safer
   to use NAS-IP-Address.
2) NAS-Identifier does not represent the IP of the requesting NAS (as
   you seem to imply in your previous posting). According to RFC, it is 
   merely "a string identifying the NAS originating the Access-Request".
   It may contain almost anything.

> and , if i have more than one NAS-IP-Address can i put all of them in a =
> single line? or in sperate "Default "? as shown in example below,
> 
> DEFAULT Auth-Type = Local, Password-Location = SQL,
>                 NAS-IP-Address = 192.168.0.126 172.16.0.126 =
> 10.100.0.126,
>                 Simultaneous-Use = 1
>         Service-Type = Framed-User,
>                 Framed-Protocol = PPP
> 

No, it would produce an error. NAS-IP-Address has IP data type and its
value must be exactly one IP address. There are several possibilities

1) If users coming from all your NASes are authenticated via the same
   profile, you shouldn't use NAS-IP-Address at all:

   DEFAULT Auth-Type = Local, 
                   Password-Location = SQL,
                   Simultaneous-Use = 1
           Service-Type = Framed-User,
                   Framed-Protocol = PPP

2) Otherwise, if they are to pass through different profiles, use
   raddb/huntgroups to group your NASes into clusters, e.g.:

   #raddb/huntgroups
   NASGROUP1    NAS-IP-Address = 192.168.0.126  NULL
   NASGROUP1    NAS-IP-Address = 172.16.0.126   NULL
   NASGROUP1    NAS-IP-Address = 10.100.0.126   NULL
   
   NASGROUP2    NAS-IP-Address = 192.168.0.1    NULL
   NASGROUP2    NAS-IP-Address = 192.168.0.2    NULL

   #raddb/users
   DEFAULT      Huntgroup-Name = NASGROUP1,
                        Auth-Type = Local,
                        Password-Location = SQL,
                Simultaneous-Use = 1
                        Service-Type = Framed-User,
                        Framed-Protocol = PPP

   DEFAULT      Huntgroup-Name = NASGROUP2,
                        Auth-Type = <whatever>
                ...


Regards,
Sergey

[Prev in Thread]

Current Thread

[Next in Thread]

[Help-gnu-radius] RE: Problem wiht NAS-Identifier, kennyen, 2002/08/07
- Re: [Help-gnu-radius] RE: Problem wiht NAS-Identifier, Sergey Poznyakoff <=

Prev by Date: [Help-gnu-radius] RE: Problem wiht NAS-Identifier
Next by Date: [Help-gnu-radius] Compulsory tunneling
Previous by thread: [Help-gnu-radius] RE: Problem wiht NAS-Identifier
Next by thread: [Help-gnu-radius] Compulsory tunneling
Index(es):
- Date
- Thread