User authentication for remote NAS'?

Matthew Newton mcn4 at leicester.ac.uk
Thu Mar 30 12:01:16 CEST 2017 

On Thu, Mar 30, 2017 at 02:15:20AM +0000, wefwe fewfew wrote:
> I'm completely new to Freeradius and mysql and have been playing
> around with it for the past couple of weeks. A lot of fun but
> also a bit frustrating at times.

It's very flexible, but therefore can also be complicated, with a
steep learning curve. But start small and don't go too fast with
learning.

> The NAS' will be in remote locations, I won't always know the IP
> and in some cases they will be using the same IP as they are
> behind a private network. Setting up radius proxies at the
> remote locations is not an option.

Doing RADIUS behind NAT is not a good idea and will likely cause
you problems.

How to identify the client is one of them that you've hit.

> I was thinking about using the NAS-ID or called-station-id to
> authenticate instead. The NAS-ID is in the rad_recv request so
> I'm figuring somehow it must be possible to use that?

Yes, but you can't necessarily trust it, being an attribute the
RADIUS client can change it.

You normally have several options:

Key off NAS-Identifier, NAS-IP or Called-Station-Id.

Key off the virtual attribute Packet-Src-IP-Address, which you can
trust (it's the source IP of the packet).

Add another config setting to the client definition, e.g.

client x {
  ...
  mygroupname = something
}

and refer to it in the config with %{client:mygroupname}.

The latter two are better, but will break with NAT as you'll be
using the same client entry for multiple RADIUS servers.

The latter two are best, but will break with NAT.

> Very simple minded I thought that it might be as simple as
> modifying the hunt group tutorial on the wiki by replacing the
> nas-ip with nas-id but that didn't work. After some more reading
> all the mailing list entries tell me the wiki is wrong and won't
> work.

Unlang is preferable over huntgroups.

> I would like to know if A) its possible to use anything other
> than the IP to identify the NAS and B) How would I go about
> achieving that?

a) Not really with NAT

b) don't use NAT, or at least have a RADIUS proxy.

> Freeradius version 2.2.8

3.0.13 is recommended, version 2 is obsolete now.

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>

More information about the Freeradius-Users mailing list