NAS and RADIUS Client Configuration¶
In eduroam, the NAS is usually the wireless controller, AP, or access switch that sends RADIUS requests to FreeRADIUS.
Best Practices¶
- prefer controller-based RADIUS where the platform supports it
- use static source IPs for RADIUS clients
- configure primary and secondary RADIUS servers
- set short but realistic timeout and retry values
- enable accounting start, stop, and interim updates
FreeRADIUS Client Example¶
Define each NAS in clients.conf:
client ap-floor-1 {
ipaddr = 10.20.1.11
secret = <strong-shared-secret>
shortname = ap-floor-1
nastype = other
}
client wlan-controller {
ipaddr = 10.20.0.5
secret = <another-strong-secret>
shortname = wlan-controller
nastype = other
}
Controller Settings¶
The wireless platform should be configured with:
- authentication port
1812 - accounting port
1813 - the same shared secret configured in FreeRADIUS
- failover order for secondary RADIUS servers
- accounting interim updates, commonly every 300 to 600 seconds
Attributes Commonly Sent by the NAS¶
Useful attributes include:
Called-Station-IdCalling-Station-IdNAS-IP-AddressNAS-IdentifierOperator-NameChargeable-User-Identity, where policy requires it
Ensure the platform is configured to include enough information for troubleshooting and abuse handling.