RADIUSdesk ConceptWiki
The professional way to manage your WiFi network using FreeRADIUS
Brought to you by:
dvdwalt
Menu
▾
▴
NAS
Attachments
3-level-providers-avail-to-sub-providers.png
(35787 bytes)
3-level-providers-not-avail-to-sub-providers.png
(29505 bytes)
3-level-providers.png
(15567 bytes)
Introduction
- NAS devices are clients to the FreeRADIUS sever. RADIUSdesk in turn is a web-based management solution to FreeRADIUS.
- In order to a NAS device to be registered with RADIUSdesk we have the opportunity to specify the type of connection the device will use to connect to RADIUSdesk.
- Each device will also have an Access Provider which will be assigned the owner of the device.
- Each device can be marked to be available to sub-providers or not.
- Each device can de assigned to one or more realms.
- Each device can be monitored to see if it is up, and for how long.
- Each device can be tagged with one or more tags.
- Each device can have a geo location and also an optional flag that specifies if this device can be displayed on web pages that is available to the public.
As you can see from this list the NAS devices has many options, enabling very complex configuration options and arrangements. You can however use it in a very simple way still to maintain basic functionality.
The rest of this page will discuss the various points listed in the introduction.
Connection types
There are four connection types supported. You may however not be presented with a choice of all four if you have not installed and configured them all.
- Direct connection - This is the most simple connection where the IP Address that the client connects with will always be the same.
- OpenVPN - This option creates an entry for a OpenVPN client on the RADIUSdesk system.
- PPTP - This option creates an entry for a PPTP client on the RADIUSdesk system.
- Dynamic client - This can be used as an alternative to the to available VPN options. Preferred with large deployments since it scales well.
NAS device owner
- In order to create a solution that scales easy, each NAS device has to belong to an Access Provider.
- Depending on the rights assigned to the Access Provider; he can add his own NAS devices.
- An Access Provider can also be enabled to add NAS devices and specify them to belong to a sub-provider which are managed by him.
- This enables us to create smaller environments which can be overseen by someone.
Making a NAS device available to sub-providers
- When we add a NAS device; we have to specify if this device will be available to sub-providers.
- A simple rule of thumb is as follows:
- Making a device available to sub-providers gives us the opportunity to assign any realm (public or private) belonging to a sibling as well any realm (public or private) belonging to the owner of the device.
- A device that is not available to sub-providers gives us the opportunity to assign any public realm of a upstream provider as well as any realm (public or private) belonging to the owner of the device. Realm's belonging to siblings of the owner will not be available.
Assigning a realm to a NAS device
- When you create a NAS device; you have the opportunity to specify which realms can access this device.
- Depending on the flag's setting to make this device available to sub-providers or not; the list of available realms to assign will change.
- See the following schematics to explain the scenarios graphically.
- We assume a 3-level deep Access Provider tree, starting from root, each having a private and public realm:
- We show a NAS device belonging to each of the Access Providers, specifying that the device Is available to sub-providers.
-
We show a NAS device belonging to each of the Access Providers, specifying that the device is not available to sub-providers.
-
These are available realms which can be assigned to a NAS device.
- You also have the opportunity to specify a NAS device to be available to any realm, which is probably what you have to do if you will forward requests to downstream RADIUS servers.
Tags for an NAS device
- Each NAS device can be associated with zero or more tags.
- These tags are handy to use when tagging certain devices.
- Using tags makes it very flexible. You can for instance tag all the NAS devices in a certain geographical area or you can tag devices which have a certain version of software installed or add a tag to devices that gives problems.
- In conjunction with these tags we can use special AVPs to return certain attributes if a device is tagged with a specified tag.
- Let us consider a practical example:
- Suppose you want to run a promotion in a certain city where you have a few NAS devices deployed.
- The promotion will allow registered users to have free access from midnight until 5AM
- Tag all the required devices with a tag called Midnight-Special
- Create a group with the following radgroupcheck and radgrouprely attributes
- Create a radgroupcheck attribute called Rd-Tag-A and give it a value of Midnight-Special
- Create a radgroupreply attribute called Login-Time and give it a value of Al0000-0500.
- Assign this group to the profile user specified as the value User-Profile radcheck attribute for the user.
- When a request from a user with this special Rd-Tag-x check attribute comes in on a device with the designated tag; this check attribute will be added to the incoming request's hash and will cause FreeRADIUS to evaluate and return the attributes specified in the radgroupreply for the associated group