NAS Clients
The NAS Clients screen displays all configured NAS Clients, including third-party devices, and is used to create, edit, and delete NAS Clients. NAS serves as a protective gateway, regulating access to network resources. A client connects to the NAS, which then communicates to an Authentication Server to verify the validity of the credentials provided by the client. The NAS then allows or denies access to the network resource. The network device within the infrastructure attaching with wired or wireless clients will act as a NAS client, communicating to UPAM which acts as an Authentication Server.
To access the NAS Clients screen, click on Network Access > UPAM-NAC > NAS Clients under the “Configure” section of the OmniVista Cirrus Menu.
Creating a NAS Client
There is a pre-configured default NAS Client profile (“All Managed Devices”) designated for each Organization. You can edit the default NAS Client profile or create a new one.
To add a NAS Client, click on Create NAS Client to open the Create NAS Client form. Complete the following sections of the form, then click Create when you are finished.
Basic Information - Configure the NAS name, IP Addresses, DM-Attribute, COA-Attribute, description, and whether the NAS client is a third-party device.
Shared Secret - Configure the shared secret used by the NAS client to communicate with the Authentication Server. It is highly recommended that you change the default shared secret for NAS clients.
Require Message Authenticator - Configure whether UPAM checks for the Message-Authenticator attribute in RADIUS request packets coming from NAS clients.
Basic Information
NAS Name - The name of the NAS Client.
Third-party Devices - Enable this option to indicate the NAS client is a third-party device. (Default = Disabled).
Start IP Address (v4) - The starting IP of the NAS Client segment.
End IP Address (v4) - The ending IP of the NAS Client segment.
DM-Attribute - The DM message is used to disconnect subscriber sessions in the system from a RADIUS server. The DM request message should contain necessary attributes (User Name/Calling Station ID) to identify the subscriber session.
User Name - The value should exactly match the subscriber name of the session.
Calling Station ID - The value should match the subscriber ID.
COA-Attribute - The COA message is used to Change of Authentication (COA) in the system from the Radius Server. The COA request message should contain necessary attributes (Username/Calling Station ID) to identify the changes.
Shared Secret
Shared Secret - Configure the shared secret used by the NAS client to communicate with the Authentication Server.
Confirm Shared Secret - Enter the Shared Secret again to confirm.
If you change the shared secret used by the NAS client, then you must also update the shared secret of the UPAM RADIUS Server. The NAS client and UPAM RADIUS Server must use the same shared secret to ensure that RADIUS traffic from the NAS client is authorized.
Require Message Authenticator
Require Message Authenticator - Enables/Disables UPAM checking for the Message-Authenticator attribute in RADIUS request packets coming from NAS clients within the specified IP address range. Access Points always include the Message-Authenticator attribute; however, you must use the aaa radius message-authenticator CLI command to enable an OmniSwitch to include this attribute in request packets. Checking for this attribute is also configurable when defining a UPAM External RADIUS server and a RADIUS Authentication server. Refer to the Require Message Authenticator Use Cases for more information.
Enabled - UPAM will drop request packets that do not contain the Message-Authenticator attribute. Enabling the Require Message Authenticator flag is highly recommended to prevent attempts to forge authentication responses by spoofing UDP-based RADIUS response packets.
Disabled - UPAM does not check if request packets contain the Message-Authenticator attribute.
Editing a NAS Client
Select a NAS Client entry, then click on Actions and select Edit from the drop-down menu or click on the Edit icon under the “Actions” column next to the NAS Client entry.
Edit the field(s) as described above, then click on Save.
Modifying the default “All Managed Devices” NAS Client will affect all managed devices.
Deleting a NAS Client
Select a NAS Client entry, then click on Actions and select Delete from the drop-down menu or click on the Delete icon under the “Actions” column next to the NAS Client entry. Click Delete at the Confirmation Prompt.
Note that you cannot delete the default “All Managed Devices” NAS Client profile entry.
View Additional NAS Client Information
Select the NAS Client name in the list and click on the Additional Information icon under the “Actions” column next to the NAS Client entry.
NAS Name - The name of the NAS Client.
Start IP Address (v4) - The starting IP of the NAS Client segment.
End IP Address (v4) - The ending IP of the NAS Client segment.
Description - The optional description for the NAS Client. (Default = NAS Name)
DM-Attribute - The DM message used to disconnect subscriber sessions in the system from a RADIUS server. The DM request message should contain necessary attributes (User Name/Calling Station ID) to identify the subscriber session.
COA-Attribute - The COA message used to Change of Authentication (COA) in the system from the Radius Server. The COA request message should contain necessary attributes (Username/Calling Station ID) to identify the changes.
Message Authenticator - Indicates whether UPAM checks for the Message-Authenticator attribute in RADIUS request packets coming from NAS clients within the specified IP address range. (Default = Enabled)
Created At - The date and time the NAS Client was created.