packet_src_ip

Background

Most incoming RADIUS packets contains an attribute called NAS-IP-Address. This attribute is however not required as per the RFC since the incoming packet either has to contain NAS-IP-Address or NAS-Identifier, or both.

FreeRADIUS actually for the most part ignore this attribute (aside from using it when recording accounting data). FreeRADIUS has an internal (also called a meta) attribute called Packet-Src-IP-Address. This is the IP Address of the incoming UDP packet. It is used to compare against any clients that is defined in the clients.conf file (or in the nas table if you use sql).

So to summarise we have two important points:

• The incoming packet usually contains an AVP NAS-IP-Address.
• FreeRADIUS stores the IP Address of the incoming packet in the Packet-Src-IP-Address AVP. It does not use the value of NAS-IP-Address for this.

What can this result in?

From the background section we have seen that there are actually two AVP's which contains the IP Address of the incoming packet.

• NAS-IP-Address: This is populated by the NAS before sending the packet to FreeRADIUS.
• Packet-Src-IP-Address: This is created and populated by FreeRADIUS upon receiving the incoming packet.

We can and do get some NAS devices that gives us the ability to specify the value of NAS-IP-Address ourselves.

Generally it is a good thing since it gives us flexibility. Let us consider a place where this can come in very handy.

• Suppose you use the dynamic clients feature of FreeRADIUS and have more than one device connected to FreeRADIUS from behind a NATed firewall.
• FreeRADIUS will store the Packet-Src-IP-Address to be the public; incoming IP Address of the packets.
• We can however now specify a different value for NAS-IP-Address on each NAS that is configured behind the NATed firewall.
• In this way we can see the traffic and users connected to each NAS even though they share a common value for Packet-Src-IP-Address.

Configuring Coova Chilli