QNAP NAS Community Forum

[pwilson]

QNAP RADIUS Server

I have 5 Wireless Access Points on my Home Network, so I decided I want to use QNAP's built-in RADIUS Server to authenticate my WiFi connections, so that I can have centralized management rather than having to configure every Wireless-AP individually.

I carefully reviewed the RADIUS Server section of the QNAP Turbo NAS User Manual.

I have also reviewed the tutorial: How to Use QNAP NAS as a RADIUS Server.

Issue: Unable to configure RADIUS Server on QNAP NAS (TS-419P+)!

I presently operate my network on the 10.77.13.0/24 network. I have a single DHCP/DNS Server on my main router, but I have 4 additional Wireless-AP's on my network. My Wireless-AP's are as follows:

10.77.13.1: ASUS RT-N16 (My main Router)
10.77.13.77: Netgear WNDR-3700
10.77.13.78: Linksys WRT160N
10.77.13.79: Buffalo WZR-HP-300NH
10.77.13.80: D-Link DIR-825

All 5 of these devices are running under DD-WRT Router Firmware, and all support WPA2-Enterprise(RADIUS) authentication. This setup works correctly under normal WPA2-Personal/AES, as it should. All 5 of these use the subnet mask 255.255.255.0 (24bit netmask).

I attempted to add my main router as follows:



When I attempt to add my main router to the QNAP RADIUS server as a new client, it rejects my entry with:



I don't understand why I am getting this error. All of my Wireless-AP's, including the main router are already successfully on the 10.77.13.0/24 network, so why won't the QNAP RADIUS server permit me to set this up. My RADIUS research suggests that my configuration should be valid under RADIUS.

Is this a QNAP Admin WebUI issue? I don't understand why it won't accept my data. My network is already working under WPA2-Personal/AES with this setup, so I don't understand why the QNAP RADIUS server won't allow me to configure this. I have even attempted to use completely different subnets, just to see if I could configure this, but it seems to give the same response to ANY IP address / CIDR range I choose. I think the QNAP Admin WebUI is completely broken.

Is there a file I can manually edit to avoid this apparent limitation in the Admin WebUI? Please advise...

Thank-you.

Patrick.

PS: QNAP TS-419P+ w/ firmware: v3.7.1

[emme]

I got the same issue...

it looks like the radious server only accept 1 IP per prefix lenght.

I workaraoud the issue setting differente prefix lenght (24, 23 and 22)

I tested the radius connection on all AP and they're working good.

Cannot figure out what exactely is prefix lenght since it seems it doesn't affect my network operation.

ciao
M

[pwilson]

I got the same issue...

it looks like the radious server only accept 1 IP per prefix lenght.

I workaraoud the issue setting differente prefix lenght (24, 23 and 22)

I tested the radius connection on all AP and they're working good.

Cannot figure out what exactely is prefix lenght since it seems it doesn't affect my network operation.

ciao
M

It won't accept even my first entry. My DHCP/DNS Server lives on my router at 10.77.13.1/24. The Radius Server is not very useful to me if I can't add my router as a RADIUS client. I want to add all five of these devices, but at this point I can't even add the first one. Surely the router is the first client to configure. I tried to add all of these, but it will not accept my data.


Patrick.

[grobylev]

Hi,

Please take a look here:
viewtopic.php?f=142&t=48714&p=250777&hilit=radius+prefix#p250777

Got the same issue, the error is somewhat wrong.

But the 'client' name is actualy not 1 client, but can also be a subnet.

If you add 192.168.1.1/24 for example, you actualy add 192.168.1.0/24 as a whole subnet.
So use 192.168.1.1/32 for only that client, then you can also add 192.168.1.2/32 without the error because there is no overlap in the subnets.

So when you add one 'client', you actually add a whole subnet, and the other devices will be able to connect as well (I can confirm it, my router, APC Network Management Card, etc. connects without any problem)
You can check in the config file why do you receiving this message (if nothing is added previously -- i'm not at home at the moment so cannot tell you the exact name of the config file, if I remember correctly radiusd.conf (or something similar) in the /etc/config folder...), or -- disable radius server, restore the default config, than enable again.

I agree that the error message is misleading... learned in the hard way...

Regards, Robert

[emme]

file names in /etc/config are
radius_global.conf
radius_users

[pwilson]

file names in /etc/config are
radius_global.conf
radius_users

Thank-you for the filenames/locations. Unfortunately the files aren't as useful to me as I'd expected. "radius_global.conf" is almost empty, and "radius_users" is absent. I wish I could add even a single AP to the Radius Configuration portion of the Admin WebUI, just so I'd have something to work with, but alas it won't let me add even a single entry.

I continue to get the same error screen for any IP address I provide. I tried to use a 32bit prefix as someone else suggested. It simply won't accept any data I provide.
Perhaps I should simply leave my network setup "as is". I can already access my network, and it's devices from any of my Wireless-AP's under WPA2-Personal/AES, so perhaps I should simply live without RADIUS.

It would be a shame to do so though. This is only a home network, but due to it's 5 Wireless-AP's, I was hoping to use RADIUS in order to provide centralized management of my WiFi credentials. I figured it would be less work to manage a single management interface (RADIUS on my NAS), rather than needing to reconfigure 5 devices every time I want to change my WiFi credentials.

Thanks again for providing those filename references. I appreciate it.

Patrick.

[P3R]

I continue to get the same error screen for any IP address I provide. I tried to use a 32bit prefix as someone else suggested. It simply won't accept any data I provide.

I have no problem when adding the information exactly the way you do in your first post, or adding the network that the NAS is itself within or when adding individual hosts with a 32 mask.

This is on a TS-559 Pro II running 3.7.1 with patch.

I don't have a possibility to check on an ARM-based unit now (let's hope someone else can do that for you) but it's probably either a platform-related problem, or a problem with something else in your configuration. If you could try to turn other things off temporarily, maybe you could find out if there is a conflict?

[evilfudge]

Patrick,

This isn't working for you owing to the fact that you are referencing a host IP in a /24. The point of specifying the subnet is that it allows to you to detail the number of hosts covered by the entry. This does not necessarily match the subnet mask specified on the device.

By saying /24, you are saying you'd like any device on your LAN (out of 253 possible IPs) to query the radius server. If you are limiting it to a single device, use /32 (equivalent of 255.255.255.255, or a single host).

You have two options.

Specify 10.77.13.1/32 for the first wireless AP, and then add each AP individually. You will have five entries in your list. Each AP needs to be added as /32 (not /24), as you are referencing a single host.

OR

specify 10.77.13.0/24. (note it's 0/24, not 1/24) This should cover all of your APs with a single entry in the clients list. You can add further APs or other devices down the track without having to touch the configuration on the QNAP.

Hope this helps.