User authentication for remote NAS'?

Alan DeKok aland at
Thu Mar 30 14:44:17 CEST 2017

On Mar 29, 2017, at 10:15 PM, wefwe fewfew <totallimpbizkit at> wrote:
> I'm completely new to Freeradius and mysql and have been playing around with it for the past couple of weeks. A lot of fun but also a bit frustrating at times.

  Everything is documented, and the debug output is without equal.  Just try debugging rules in Apache, nginx, postfix, or any other networking daemon.  The most common message is "Error", which is entirely useless.

  If you find it frustrating, it would be good to describe what's missing in the documentation, so that other people don't run into the same issues.

  But my $0.02 is that the largest source of frustration is a general lack of knowledge about how RADIUS works.  Which is why I wrote the technical guide available on

> I've been reading the mailing lists, googling, and there are people with similar questions but I've yet to find an answer. Hopefully somebody can give me some pointers :)

  The documentation that comes with the server describes this in detail.  Just read clients.conf, or raddb/sites-available/README

  There seems to be a general belief that a pice of software just can't possibly come with documentation or configuration examples that make sense.  Instead, the goal should be to just google things, and hope some random third-party page has what you're looking for.

  Please don't do that.  It's a waste of time.

> Have multiple NAS' in remote locations authenticate with a central Freeradius server.

  See clients.conf.  Clients are defined by IP address.  There is nothing which suggests you can do anything else.

> The NAS' will be in remote locations, I won't always know the IP and in some cases they will be using the same IP as they are behind a private network. Setting up radius proxies at the remote locations is not an option.

  RADIUS works by keying off of the source IP address.  If the NASes are behind NATs and you can't install local proxies... you can't do RADIUS as it was designed.

  The only other option is to use the same IP address for a network.  Again, see clients.conf for how to specify a mask (e.g.

> I was thinking about using the NAS-ID or called-station-id to authenticate instead. The NAS-ID is in the rad_recv request so I'm figuring somehow it must be possible to use that?

  It's not possible.

> Right now I'm at a loss and don't know what to do. The mailing list is my last resort.

  The mailing list should be your first resort.  Or maybe second after reading the docs included with FreeRADIUS.

> I would like to know if A) its possible to use anything other than the IP to identify the NAS and B) How would I go about achieving that?

  It's not possible.

> By the way, if I ever get this working, can I write  a guide and submit it to the wiki?

  Since it's not possible, no, sorry.

> Freeradius version 2.2.8

  Please upgrade to v3.  It's just so much better.

  Alan DeKok.

More information about the Freeradius-Users mailing list