NAS devices (RADIUS clients)

NAS devices (RADIUS clients)

Introduction

RADIUSdesk is a web based management on top of the FreeRADIUS server. Every RADIUS server will have RADIUS clients. RADIUS clients have two important characteristics.

The server which is contacted needs to know the IP Address of the client.
The server and client has a common phrase known as a shared secret which is known by both but not by any other of the clients.

What does a NAS device do?

A NAS device control the access and resources on a data network.
A NAS device in turn is a server to clients which need to connect through them to the data network.

Typical NAS devices

Captive portals
- Mikrotik Hotspots
- CoovaChilli
- pfSense
WiFi Access Points that uses WPA2 Enterprise encryption.
VPN servers.
Enterprise network switches with 802.1x enabled.

There are also clients to the RADIUS server which does not always need to be a NAS device. Some of them are:

Network equipment like high end Ethernet switches that uses RADIUS for as a central Authentication database.
Linux servers that use Pam-radius for a central user store and Authentication, Accounting and Authorization.
This in turn enable certain services to use RADIUS
- FTP server
- Apache server
- PPTP server

Managing NAS devices in RADIUSdesk

One of the first actions you are likely to do is to add a NAS device to RADIUSdesk. This is done through the Nas devices applet.

Add a NAS device

When you add a NAS device through the NAS devices applet you need to collect some information beforehand in order to supply it when you add the NAS device.
The information itself depends on the connection type of the device.

There are four connection types:

Direct connection (Fixed IP Address)
Dynamic client (Unknown IP Address)
PPTP
OpenVPN

Your installation of RADIUSdesk may not have all of them enabled since not everyone need to have all four types available. Enabling and disabling the connection types is beyond the scope of this document and is discussed under the Technical discussions section.

Add a direct connected device

With a direct connected device you need to have:

Item	Typical value	Comment
NAS device's IP Address	42.34.12.12
Shared secret	testing123	something that is secure and obscure
Name for device	Coova-AP-Pta-01	This can be anything really but you are encouraged to work out a convention.

Add a Dynamic client

With a Dynamic Client you need to have:

Item	Typical value	Comment
Unique AVP attribute	NAS-Identifier	Can be one of the other from the list also
Unique AVP attribute value	Coova-AP-Pta-01	Some value to identify the device by uniquely. The device will include this AVP and value when it contacts the RADIUS server
Shared secret	testing123	something that is secure and obscure
Name for device	Coova-AP-Pta-01	This can be anything really but you are encouraged to work out a convention.

With a dynamic client you have to ensure that FreeRADIUS is compiled and configured in such a way as to allow Dynamic Clients.
You can read more about Dynamic Clients on this page: https://sourceforge.net/apps/trac/hotcakes/wiki/YfiTechDynamicClients.
Dynamic Clients will typically be used when the NAS device sits behind a NAT firewall.

Dynamic Clients goes hand-in-hand with devices behind a NAT firewall.
Dynamic Clients are also most likely to use a heartbeat system for communication FROM RADIUSdesk TO the NAS device THROUGH the NAT firewall.

Although you do not need to know the IP Address of the Dynamic Client; there is something a bit more involved to know about the NAS device.
For a Dynamic Client to be identifiable we have to zoom in on one of the AVPs in the RADIUS packet coming. Usually it will be one of the following:

NAS-IP-Address
NAS-Identifier
Called-Station-Id

One of these AVP's are typically included in every RADIUS packet which the client sends to the server, allowing FreeRADIUS to identify the client and registering the device on the fly.
The simplest to find out which are included is to do the following:

Give the NAS device a known IP Address.
Register the NAS device with this known IP on the RADIUS server.
Point the NAS device to the RADIUS server.
Restart the FreeRADIUS server in debug mode:

sudo /etc/init.d/radiusd stop
sudo radiusd -X

Restart the NAS device.
The NAS device will typically send an Accounting-Off and Accounting-On packet to the RADIUS serve which you can then evaluate to decide what AVP will be the best use.

This section is quite technical and you do not need to understand everything from the word go.
If you know CoovaChilli for instance; the values of these attributes are determined by settings like:

HS_NASIP → NAS-IP-Address
HS_NASID → NAS-Identifier
HS_NASMAC → Called-Station-Id

Table of Contents