This is an old revision of the document!

Table of Contents

NAS requirements

This page contains information about Network Access Server (NAS) requirements for connecting to SyCes.

SyCes uses a RADIUS server for centrally authenticating users and for accounting. Authentication of users against RADIUS is described in RFC2865. How accounting is done is described in RFC2866.

These are the specifications for implementing a Network Access Server (NAS) that communicates with SyCes. Within this document the two terms NAS and gateway are used in same meaning.

Captive Portal

A captive portal (CP) redirects unauthenticated users to a login form. Two different types (internal, external) of CPs may be implemented. At least one CP should be configurable per Gateway. In enterprise environments it should be possible to define multiple CPs and assign them to SSIDs (wireless) or VLANs (wired)

Common Requirements

Independently of implemented CP type following features should be implemented.

  • Idle Timeout
    Time in minutes after which a user should be disconnected if no data has been sent or received from WAN-connection. After disconnecting user has to login with his credentials again.
  • Hard Timeout
    Time in minutes after which a user should be disconnected. After disconnecting user has to login with his credentials again.
  • Reauthentication Time
    time in seconds after NAS reauthenticates user with given credentials automatically. If radius responds with an Access-Reject-Packet then user has to be disconnected, otherwise no change should be done. This feature is similar to CoA but is more secure as clients do not need incoming firewall rules. SyCes does not support CoA.
  • Accounting Period
    time in seconds after which accounting packets will be sent to RADIUS-server
  • Walled Garden Pages
    It should be possible to define multiple hosts and domains which should be accessible without authentication. This is required for payment process of self service portal
  • Whitelist
    This list should contain MAC-Addresses which should have WAN access without authentication, e.g. VIPs
  • Parallel Sessions
    It should be possible to configure a maximum number of parallel logins per username e.g. if a user wants to use his tablet and smartphone with same account.

Internal Captive Portal

This type of CP is located on the NAS. Users enter username and password and submit form to NAS. The NAS performs an authentication request to the configured RADIUS server. For internal captive portals following information needs to be stored on NAS:

  • Domain
    Clients are distinguished by the domain. Inside SyCes every username has following format: user@domain
    For convenience gateway should add the postfix “@domain” to the username in every RADIUS-Request.
  • Password
    If client wants to use the voucher system of syces it should be possible to configure the voucher password within the gateway. Users do not need to enter passwords any more, as all vouchers have same passwords.

External Captive Portal

This type of CP is located on SyCes-Server. Therefore we need only following information on Gateway:

  • External Captive Portal URL
    URL where external CP is stored. SyCes provides appropriate information in administration frontend.

For external CPs an optionally API should be implemented which speeds up login process.

RADIUS configuration

  • Radius-Server (authentication)
    Server, which is used for authentication. May be either a hostname or an ip-address. Hostnames are preferred over ip-addresses.
  • Authentication-Port
    UDP-Port which is used for authentication on RADIUS-Server. [Default: 1812]
  • Radius-Server (accounting)
    Server, which is used for accounting. May be either a hostname or an ip-address. Hostnames are preferred over ip-addresses. Different Servers are not required, but at least one Radius-Server (with 2 different ports) is required.
  • Accounting-Port
    UDP-Port which is used for accounting on RADIUS-Server [Default: 1813]
  • Shared-Secret
    Transactions between the client and RADIUS server are encrypted with a shared secret with a minimum length of 16 characters. It is used for both authentication and accounting.

Radius Packets

  1. No Keep-Alives
    No Keep-Alive packets should be sent to test if the server is alive. This adds to load without providing useful information.
    Monitoring will be done by Synergy Systems GmbH. In case of a system crash the team willl start working on regaining the functionality anyway.
Use NAS tools like radtest to find out whether the radius server or your implementation causes problems.

Radius Authentication

Access Request

Access Accept

Access Reject

Radius Accounting

Accounting Start

Interim Update

Accounting Stop

Trace: NAS requirements

QR Code
QR Code NAS requirements (generated for current page)