This is an old revision of the document!

PPSK support in FreeRADIUS

  • FreeRADIUS offers support for loadable modules in Perl and Python.
  • RADIUSdesk includes a couple of Perl modules with its FreeRADIUS implementation to help where Unlang lacks in capabilities.
  • The RADIUS protocol in its most traditional implementation does not allow communication back to the RADIUS client, e.g. to terminate a user's session with a NAS.
  • As new enhancements were added to the RADIUS protocol, a mechanism was added to reach the client via Change Of Authority (COA) and Packet Of Disconnect (POD) requests from the RADIUS server to the RADIUS client.
  • We can say that the RADIUS client took on features of the RADIUS server.
  • This mechanism works well in an environment where the RADIUS server can reach the RADIUS client directly at IP level (no NAT firewalls in between)
  • Unfortunately, not all environments offer this possibility today, so alternative ways have emerged to reach the RADIUS client from the RADIUS server.
  • In RADIUSdesk we use the API that is part of RouterOS to reach Mikrotik RADIUS Clients.
  • In MESHdesk and APdesk we use the MQTT system (or heartbeat fallback).
  • With this in mind, let us look at the flow of a simple Private PSK implementation on RADIUSdesk as well as a more advanced Private PSK implementation with data restrictions.

Simple hotstapd with RADIUS flow

Advanced hotstapd with RADIUS flow

  • The Intelligent VLAN Engine runs on the RADIUSdesk server and is crucial if you want to implement Private PSK with data restrictions.
  • It constantly monitors a user's usage and if it detects that a certain limit has been reached, it will act accordingly.
  • This usually starts by sending a disconnect instruction to the AP or mesh node the user is currently connected to.
  • The user's device will attempt to reconnect to the same SSID after it has been disconnected.
  • The Intelligent VLAN engine will now apply the new restrictions to the newly established connection, if there are any.
  • The Intelligent VLAN Engine also removes restrictions by disconnecting and reconnecting a user when it detects that a restriction needs to be lifted, e.g. when a daily, weekly or monthly limit no longer applies

  • technical/ppsk-radius.1714374189.txt.gz
  • Last modified: 2024/04/29 09:03
  • by system