Generic RADIUS Integration
Configure any RADIUS-capable device to authenticate with NetKey. This guide covers the essential settings and attributes for universal compatibility.
Overview
NetKey is a standards-compliant RADIUS server that works with any device supporting RFC 2865 (RADIUS Authentication) and RFC 2866 (RADIUS Accounting).
Standards Compliant
RFC 2865, 2866, 2868, 2869
Vendor Attributes
Cisco, Aruba, Ruckus, Fortinet VSAs
EAP Support
PEAP, EAP-TLS, EAP-TTLS
RadSec
RADIUS over TLS (RFC 6614)
Connection Settings
Use these settings to configure any RADIUS client device.
Log in to app.netkey.no → Settings → RADIUS Clients to find your RADIUS server IP/hostname, ports, and create a shared secret for your device.
| Authentication Port | 1812 (UDP) |
| Accounting Port | 1813 (UDP) |
| RadSec Port | 2083 (TCP/TLS) |
The RADIUS shared secret is case-sensitive and must match exactly on both your NAS device and in your NetKey RADIUS Client settings.
Authentication Types
PAP (Password Authentication Protocol)
Simple username/password authentication. Password is encrypted using the shared secret.
- Used for: Simple device authentication, captive portals
- Attributes: User-Name, User-Password
CHAP (Challenge-Handshake Authentication Protocol)
Challenge-response authentication where password is never sent.
- Used for: Enhanced security over PAP
- Attributes: CHAP-Password, CHAP-Challenge
EAP (Extensible Authentication Protocol)
Framework for advanced authentication methods.
| Method | Description | Use Case |
|---|---|---|
| PEAP | Protected EAP with MSCHAPv2 | User auth with username/password |
| EAP-TLS | Certificate-based authentication | Highest security, device certificates |
| EAP-TTLS | Tunneled TLS | Password auth with TLS tunnel |
MAC Authentication
Authenticate devices based on MAC address.
- Used for: IoT devices, printers, devices without 802.1X
- MAC sent as: User-Name (and optionally User-Password)
Request Attributes
Common attributes sent by NAS devices in Access-Request.
| Attribute | Type | Description |
|---|---|---|
User-Name |
1 | Username or MAC address |
User-Password |
2 | Encrypted password (PAP) |
NAS-IP-Address |
4 | IP of the NAS device |
NAS-Port |
5 | Physical port on NAS |
Service-Type |
6 | Type of service requested |
Called-Station-Id |
30 | AP MAC or SSID:APMAC |
Calling-Station-Id |
31 | Client MAC address |
NAS-Identifier |
32 | Name of the NAS device |
NAS-Port-Type |
61 | Type of port (Wireless, Ethernet) |
Response Attributes
Attributes NetKey can return in Access-Accept.
Standard Attributes
| Attribute | Description |
|---|---|
Session-Timeout |
Maximum session time in seconds |
Idle-Timeout |
Idle disconnect time in seconds |
Filter-Id |
Access control filter or group name |
Class |
Group or class identifier |
VLAN Assignment (RFC 2868)
| Attribute | Value |
|---|---|
Tunnel-Type |
13 (VLAN) |
Tunnel-Medium-Type |
6 (IEEE-802) |
Tunnel-Private-Group-ID |
VLAN ID (e.g., "100") |
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-ID:0 = "100"Vendor-Specific Attributes (VSA)
NetKey supports these vendor-specific attributes:
| Vendor | Attribute | Purpose |
|---|---|---|
| Cisco | Cisco-AVPair |
PSK passphrase, ACL, roles |
| Aruba | Aruba-MPSK-Passphrase |
Per-device passphrase |
| Aruba | Aruba-User-Role |
User role assignment |
| Ruckus | Ruckus-DPSK-Passphrase |
Dynamic PSK |
| Ruckus | Ruckus-User-Role |
User role assignment |
MAC Address Formats
Different vendors use different MAC address formats. Configure NetKey to match.
| Format | Example | Common Vendors |
|---|---|---|
| Lowercase, colons | aa:bb:cc:dd:ee:ff |
UniFi, Linux |
| Uppercase, colons | AA:BB:CC:DD:EE:FF |
Some Cisco |
| Lowercase, hyphens | aa-bb-cc-dd-ee-ff |
FortiGate, Windows |
| Uppercase, no delimiter | AABBCCDDEEFF |
Ruckus, some Aruba |
| Lowercase, no delimiter | aabbccddeeff |
Some Cisco |
| Cisco format (dots) | aabb.ccdd.eeff |
Cisco IOS |
Set the MAC format in Group Settings → RADIUS → MAC Format to match your network equipment.
RADIUS Accounting
Enable accounting to track session data.
Accounting Request Types
| Type | Value | When Sent |
|---|---|---|
| Start | 1 | Session begins |
| Stop | 2 | Session ends |
| Interim-Update | 3 | Periodic updates |
| Accounting-On | 7 | NAS startup |
| Accounting-Off | 8 | NAS shutdown |
Useful Accounting Attributes
| Attribute | Description |
|---|---|
Acct-Session-Id |
Unique session identifier |
Acct-Session-Time |
Duration in seconds |
Acct-Input-Octets |
Bytes received by client |
Acct-Output-Octets |
Bytes sent by client |
Acct-Terminate-Cause |
Why session ended |
Testing RADIUS
Use command-line tools to test RADIUS connectivity.
Using radtest
# Test PAP authentication
radtest username password your-radius-server 0 shared_secret
# Test with specific NAS-IP
radtest username password your-radius-server 0 shared_secret 10.0.0.1Using radclient
# Create request file
echo "User-Name = testuser
User-Password = testpass
NAS-IP-Address = 10.0.0.1
NAS-Port = 0
Called-Station-Id = AA-BB-CC-DD-EE-FF:TestSSID
Calling-Station-Id = 11-22-33-44-55-66" > request.txt
# Send request
radclient -x your-radius-server:1812 auth shared_secret < request.txtExpected Responses
| Response | Meaning |
|---|---|
| Access-Accept | Authentication successful |
| Access-Reject | Authentication failed |
| Access-Challenge | More info needed (EAP) |
| No response | Check connectivity/secret |
Troubleshooting
- Verify network connectivity (ping RADIUS server)
- Check firewall allows UDP 1812/1813
- Confirm RADIUS server IP is correct
- Verify NAS client is registered in NetKey
- Check username/password are correct
- For MAC auth: verify MAC format matches
- Check user/endpoint exists in NetKey
- Verify SSID restriction if configured
- Check PSK/endpoint hasn't expired
- Shared secrets are case-sensitive
- Check for trailing spaces
- Some devices have character limits
- Re-enter the secret on both sides
- Verify NAS supports RADIUS VLAN override
- Enable AAA override on the NAS
- Check VLAN exists on NAS infrastructure
- Verify NetKey returns Tunnel attributes