Skip to content

NAS and RADIUS Client Configuration

In eduroam, the NAS is usually the wireless controller, AP, or access switch that sends RADIUS requests to FreeRADIUS.

Best Practices

  • prefer controller-based RADIUS where the platform supports it
  • use static source IPs for RADIUS clients
  • configure primary and secondary RADIUS servers
  • set short but realistic timeout and retry values
  • enable accounting start, stop, and interim updates

FreeRADIUS Client Example

Define each NAS in clients.conf:

client ap-floor-1 {
    ipaddr = 10.20.1.11
    secret = <strong-shared-secret>
    shortname = ap-floor-1
    nastype = other
}

client wlan-controller {
    ipaddr = 10.20.0.5
    secret = <another-strong-secret>
    shortname = wlan-controller
    nastype = other
}

Controller Settings

The wireless platform should be configured with:

  • authentication port 1812
  • accounting port 1813
  • the same shared secret configured in FreeRADIUS
  • failover order for secondary RADIUS servers
  • accounting interim updates, commonly every 300 to 600 seconds

Attributes Commonly Sent by the NAS

Useful attributes include:

  • Called-Station-Id
  • Calling-Station-Id
  • NAS-IP-Address
  • NAS-Identifier
  • Operator-Name
  • Chargeable-User-Identity, where policy requires it

Ensure the platform is configured to include enough information for troubleshooting and abuse handling.