User authentication for remote NAS'?

Brian Candler b.candler at
Thu Mar 30 10:47:38 CEST 2017

On 30/03/2017 03:15, wefwe fewfew wrote:
> However one thing I'm totally unable to figure out is how I can base authentication on which NAS a user is trying to log in from.
> I've been reading the mailing lists, googling, and there are people with similar questions but I've yet to find an answer. Hopefully somebody can give me some pointers:)
> Goal:
> Have multiple NAS' in remote locations authenticate with a central Freeradius server.
> The NAS' will be in remote locations, I won't always know the IP and in some cases they will be using the same IP as they are behind a private network. Setting up radius proxies at the remote locations is not an option.
> I was thinking about using the NAS-ID or called-station-id to authenticate instead. The NAS-ID is in the rad_recv request so I'm figuring somehow it must be possible to use that?

I presume you're talking about the NAS-Identifier attribute.  If your 
NAS can be configured to send this, and allows you to set a unique value 
for each NAS, that's the right way to do what you want.

(Often you'd use the NAS-IP-Address attribute instead, but that won't 
work for you if multiple NASes have the same local IP address)

Once you've got an attribute in the incoming request which identifies 
the NAS, then it's relatively straightforward to do what you want.

To start with, you can use unlang in a policy module: e.g.

     if (&SQL-Group[*] == "staff" && &NAS-Identifier =~ /^(foo|bar)$/) {

[Aside: the [*] is there to allow the user to have multiple SQL-Group 
attributes, and to match if any of them is "staff"]

But in practice, you probably want to map a bunch of different 
NAS-Identifiers to some sort of group attribute so you can create a 
policy which says "when user is in group X and NAS is in group Y then do Z"

There are various ways you could lookup NAS-Identifier to set some group 
attribute.  To do this in SQL, you'd need to create a new instance of 
the "sql" module, keyed by NAS-Identifier rather than User-Name, and 
using a different set of tables:

sql sql_nas {
    sql_user_name = "%{NAS-Identifier}"
    group_attribute = "NAS-SQL-Group"
    ...  also configure to point to a different set of tables

In your authorize { } section you would invoke both "sql" and "sql_nas" 
modules. The first looks up the username, and the second looks up the 

Then you can have policy logic like:

if (&SQL-Group[*] == "staff" && &NAS-SQL-Group[*] == "dialup") {

(Warning: all examples untested)

If this is too complicated, then there is another brute-force way you 
can consider: set up a bunch of radius virtual servers listening on 
different ports, one for each type of NAS access policy. Then configure 
each NAS to point to the correct port.



More information about the Freeradius-Users mailing list