NAS Identification (was MIBs)

[Bernard Aboba <aboba@internaut.com>]

There are a number of situations in which a NAS may have multiple
IP addresses.  IPv4/IPv6 dual stack operation is one example, but it is
also possible for a NAS to have multiple IPv6 or IPv4 addresses.
A  NAS that is a member of multiple VLANs would have an IPv4
address for each VLAN.  A NAS also can have multiple IPv6 or IPv4
addresses on a single interface.

[RFC2865] Section 5.44 states that only a single NAS-IP-Address attribute
may be included in an Access-Request, and that it may not be included in
other messages (Challenge, Reject, Accept).  Similarly, [RFC3162] Section
3 provides the same restrictions for NAS-IPv6-Address.

Since RADIUS only looks at the packet source address to determine the
appropriate shared secret, if a NAS sends packets from different source
addresses, then the RADIUS server needs to have a shared secret for each
address.

My recommendation is that RADIUS clients with multiple addresses SHOULD
use the NAS-Identifier attribute instead of NAS-IPv4-Address or
NAS-IPv6-Address.


Dave Nelson said:

> However, this does bring up another issue, which is how the RADIUS
> server identifies the  NAS if it is more than one hop away.  NASes can
> have more than one IPv6 address and this makes it possible for a NAS to
> put a linkscope address in the NAS-IPv6-Address field.  If the proxy is
> on the same link as the RADIUS client, the RADIUS server could receive a
> packet with a  NAS-IPv6-Address as a linklocal address.
>
> The same issue can occur with IPv4 Link Local, and of course a NAS can
> have more than one IPv4 and IPv6 address.
>
> One potential suggestion might be to use the NAS-Identifier attribute in
> such a situation so as to avoid having to configure the RADIUS server
> with all potential NAS addresses.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>