freeradius server on cloud

Question

I am using free radius server locally on Ubuntu machine , and my system working fine . I want to allow my system to run from cloud to start sell it , but I don’t know how to make my free radius working on cloud . clients don’t have public ip address , I searched many times in the internet and found many cloud Radius server , they using NAS-ID attribute , but I don’t know how free radius and NAS can making connection and authentication through NAS-ID . When I running my system locally I insert NAS information into nas table, like nas IP and secret ,but that because NAS and free radius server running at same network so they can connect together , so how can I do that for cloud ?

when I tried one cloud AAA in the internet and tried to insert my NAS , system generated script and asked me to run it on my Mikrotik nas , I understand every things in the script ,but still not understand how free radius can connect to the NAS . the commands is just to set the IP of free radius server which is

195.228.75.174

and some other configuration , Mikrotik can access to the radius because it is public IP on the cloud , but when radius reply to the NAS how can connect to it ,Mikrotik does not has public IP . I am very confused to understand this idea .

score 1 · Answer 1 · answered Oct 24 '18 at 18:02

Radius server always reply to the ephemeral port used by NAS. NAS doesn't need public-ip to communicate to radius server.

In NAS device you just have to point the radius server. in mikrotik you can do this. /radius add address=x.x.x.x secret=secretpass service=hotspot /radius incoming set accept=yes

score 0 · Answer 2 · answered Jan 28 '19 at 04:28

There are possibly few ways to achieve this, One of them is to Use AUTHORIZE section in

/etc/freeradius/sites-enabled/default

, you can control it like,

if ("%{sql: select nas_id from users where username = '%{User-Name}'}" != "%{NAS-Identifier}") {
update reply {
Reply-Message = 'Error: You are not allowed to connect form this NAS ! Bingo - zaib'
}
update control {
Auth-Type := "Reject"
}
}

More details here

score 0 · Answer 3 · edited Sep 16 '19 at 13:51

0

Change client.conf file to allow particular sub-net or just allow all IP range like below

 client 0.0.0.0/0 {
   secret = somesecret
   shortname = somename
 }

edited Sep 16 '19 at 13:51

adiga

34,372
9
61
83

answered Sep 16 '19 at 13:04

Ganesh

114
1
10

freeradius server on cloud

3 Answers3