User authentication for remote NAS'?

wefwe fewfew totallimpbizkit at
Mon Apr 3 10:52:02 CEST 2017

Hi guys,

Thanks for the feedback.

I went with Brian's advise and started small.

By adding the NAS-ID attribute to the user I can limit access from a certain ID regardless of the IP in my test setup. This is not how I eventually want it to be but it will do for now.

Second problem I'm running into is accounting. I have no idea how get this to work.

I thought it would be fairly straight forward to have freeradius check daily/weekly/monthly/total time online/data used and allow/disconnect a user based on that.

I've looked at this guy's guide, seems he also asked a bit on the mailing list.

But I can't get the data usage part to work. I sent to total limit attribute as supported by my NAS (mikrotik) which works fine on a per sessions basis but not when disconnecting. Even if I could get it to work, does COA really require a IP to be set or can I use a variable as well? The NAS IP will be dynamic. I tried setting variables but that gave an error about being unable to send a request to the NAS port (even though it gave the right IP. I don't have access to my test setup right now so I'll send the log output later).

The biggest problem I'm having is with the documentation. All information is spread over the Internet over the past decade with bits and pieces everywhere but nowhere there is documentation that tells you though from all the question asked online it seems like a lot of users have problems with it.

Long story short is that I want FR/mysql to check how long a user is still allowed online or how much bandwidth he has left and reject access/disconnect a user based on that.

From: Freeradius-Users < at> on behalf of Alan DeKok <aland at>
Sent: Thursday, March 30, 2017 2:04:07 PM
To: FreeRadius users mailing list
Subject: Re: User authentication for remote NAS'?

On Mar 30, 2017, at 9:20 AM, Brian Candler <b.candler at> wrote:
> On 30/03/2017 13:44, Alan DeKok wrote:
>>> I was thinking about using the NAS-ID or called-station-id to authenticate instead. The NAS-ID is in the rad_recv request so I'm figuring somehow it must be possible to use that?
>>   It's not possible.
> If you have multiple NASes behind a NAT, then obviously you can't have different shared secrets for each one, but I don't think that's what the OP was asking.

  He was pretty clear that he had multiple NASes behind NAT gateways.  That just doesn't work.

  I suspect he was trying to authenticate the *NAS*, not the user.  But the question was unclear.

  Alan DeKok.

List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list