RADIUSdesk

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

user_guide:nas_devices [2016/06/02 23:09] (current)
admin created
Line 1: Line 1:
 +====== NAS devices (RADIUS clients) ======
 +===== Introduction =====
 +RADIUSdesk is a web based management on top of the FreeRADIUS server. Every RADIUS server will have RADIUS clients. RADIUS clients have two important characteristics.
 +  * The server which is contacted needs to know the IP Address of the client.
 +  * The server and client has a common phrase known as a **shared secret** which is known by both but not by any other of the clients.
 +
 +===== What does a NAS device do? =====
 +A NAS device control the access and resources on a data network.\\
 +A NAS device in turn is a server to clients which need to connect through them to the data network.
 +
 +===== Typical NAS devices =====
 +  * Captive portals
 +    * Mikrotik Hotspots
 +    * CoovaChilli
 +    * pfSense
 +  * WiFi Access Points that uses WPA2 Enterprise encryption.
 +  * VPN servers.
 +  * Enterprise network switches with 802.1x enabled.
 +
 +There are also clients to the RADIUS server which does not always need to be a NAS device. ​ Some of them are:
 +  * Network equipment like high end Ethernet switches that uses RADIUS for as a central Authentication database.
 +  * Linux servers that use Pam-radius for a central user store and Authentication,​ Accounting and Authorization.
 +  * This in turn enable certain services to use RADIUS
 +    * FTP server
 +    * Apache server
 +    * PPTP server
 +
 +------------
 +===== Managing NAS devices in RADIUSdesk =====
 +One of the first actions you are likely to do is to add a NAS device to RADIUSdesk. This is done through the **Nas devices** applet.
 +
 +===== Add a NAS device =====
 +When you add a NAS device through the **NAS devices** applet you need to collect some information beforehand in order to supply it when you add the NAS device.\\
 +The information itself depends on the connection type of the device.
 +
 +<WRAP center round tip 60%>
 +There are four connection types:
 +  * Direct connection (Fixed IP Address)
 +  * Dynamic client (Unknown IP Address)
 +  * PPTP
 +  * OpenVPN
 +</​WRAP>​
 +
 +Your installation of RADIUSdesk may not have all of them enabled since not everyone need to have all four types available. Enabling and disabling the connection types is beyond the scope of this document and is discussed under the **Technical discussions** section.
 +
 +==== Add a direct connected device ====
 +With a direct connected device you need to have:
 +
 +^ Item  ^ Typical value  ^ Comment ​ ^  ​
 +| NAS device'​s IP Address | 42.34.12.12 | |
 +| Shared secret | testing123 | something that is secure and obscure |
 +| Name for device | Coova-AP-Pta-01 | This can be anything really but you are encouraged to work out a convention. |
 +
 +==== Add a Dynamic client ====
 +With a Dynamic Client you need to have:
 +
 +^ Item  ^ Typical value  ^ Comment ​ ^  ​
 +| Unique AVP attribute | NAS-Identifier | Can be one of the other from the list also |
 +| Unique AVP attribute value | Coova-AP-Pta-01 | Some value to identify the device by uniquely.\\ The device will include this AVP and value when it contacts the RADIUS server |
 +| Shared secret | testing123 | something that is secure and obscure |
 +| Name for device | Coova-AP-Pta-01 | This can be anything really but you are encouraged to work out a convention. |
 +
 +With a dynamic client you have to ensure that FreeRADIUS is compiled and configured in such a way as to allow Dynamic Clients.\\ ​
 +You can read more about Dynamic Clients on this page: https://​sourceforge.net/​apps/​trac/​hotcakes/​wiki/​YfiTechDynamicClients.\\
 +Dynamic Clients will typically be used when the NAS device sits behind a NAT firewall.
 +
 +<WRAP center round tip 60%>
 +  * Dynamic Clients goes hand-in-hand with devices behind a NAT firewall.
 +  * Dynamic Clients are also **most likely** to use a **heartbeat** system for communication **FROM** RADIUSdesk **TO** the NAS device **THROUGH** the NAT firewall.
 +</​WRAP>​
 +
 +Although you do not need to know the IP Address of the Dynamic Client; there is something a bit more involved to know about the NAS device.\\ For a Dynamic Client to be identifiable we have to zoom in on one of the AVPs in the RADIUS packet coming. Usually it will be one of the following:
 +  * NAS-IP-Address
 +  * NAS-Identifier
 +  * Called-Station-Id
 +One of these AVP's are typically included in every RADIUS packet which the client sends to the server, allowing FreeRADIUS to identify the client and registering the device on the fly.\\
 +The simplest to find out which are included is to do the following:
 +  * Give the NAS device a known IP Address.
 +  * Register the NAS device with this known IP on the RADIUS server.
 +  * Point the NAS device to the RADIUS server.
 +  * Restart the FreeRADIUS server in debug mode:
 +<code bash>
 +sudo /​etc/​init.d/​radiusd stop
 +sudo radiusd -X
 +</​code>​
 +  * Restart the NAS device.
 +  * The NAS device will typically send an **Accounting-Off** and **Accounting-On** packet to the RADIUS serve which you can then evaluate to decide what AVP will be the best use.
 +
 +<WRAP center round info 60%>
 +This section is quite technical and you do not need to understand everything from the word go.\\
 +If you know **CoovaChilli** for instance; the values of these attributes are determined by settings like:
 +  * HS_NASIP -> NAS-IP-Address
 +  * HS_NASID -> NAS-Identifier
 +  * HS_NASMAC -> Called-Station-Id
 +</​WRAP>​