Hello Brian -
On Thu, 04 May 2000, Brian Keefe wrote:
> After figuring out how to filter based on NAS IP addresses and NAS Ports
> with Radiator,
> it turns out our provider is actually suggesting we filter on the IP of the
> client performing the Radius request.
>
It is sensible to filter as much as possible, not just Radius.
> Using a sniffer, it looks like the NAS IP and NAS PORT values are part of
> the Radius payload and are different than the client sending the Radius
> request.
>
Typically the NAS IP and NAS PORT are the values of what the NAS has allocated
to the customer call. The client (NAS) uses its own IP address when it sends the
Radius request (containing the previously mentioned values).
> So I am confused.
>
Does the explanation above help?
> Filtering on clients sending Radius requests sounds like firewall filtering
> to me.
>
Correct. Although Radiator will only accept requests from Clients that are
listed in the configuration file (this is a good reason to explicitly list all
of your clients individually in the configuration file).
> However, I am not sure what it means to filter on the NAS-Address-Port-List
> values.
>
> Can anyone explain precisely what the NAS-Address-Port-List file refers to?
>
This will limit connections to certain NAS PORTS, according to the list. Some
customers want to be able to sell real ports to their customers, and this is
how to do it.
> Can anyone explain whether Radiator filters on client IP addresses, or
> whether this should be the work of a firewall?
>
See above. But you should *always* have very strict firewalls in place in an
ISP (or indeed any Internet) environment.
hth
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
