Applicable platforms: AX
Applicable versions: 5.11.0 and above
Software version 5.11.0 introduces support for configurable RADIUS NAS Identifier formats on ePMP 4500 and 4600 Access Points.
A Network Access Server (NAS) is a device that acts as a gateway for user authentication and accounting when interacting with a RADIUS server.
Starting with 5.11.0, the AP allows administrators to control how the NAS identity is presented in RADIUS Access-Request packets.
The following options are supported:
- NAS-Identifier (ID)
- NAS-IP-Address (IP)
- Both (ID + IP)
After upgrading to 5.11.0 or later, the default setting is NAS-Identifier (ID).
On GUI navigate to AP > Configuration > Security
cnMaestro template:
}
"device_props": {
"wirelessRadiusNASIDFormat": "2"
}
}
MIB object:
wirelessRadiusNASIDFormat OBJECT-TYPE
SYNTAX Integer32 (1|2|3)
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"NAS-Id format - sending NAS-Identifier, NAS-IP-Address or both to RADIUS server
1 - sending NAS-IP-Address,
2 - sending NAS-Identifier,
3 - sending both.
Only private community can read this attribute.
Applicable for 802.11ax devices only
Device Allocation: AP"
DEFVAL { 2 }
::= { wirelessRadius 11 }
Behavior in Earlier Versions
In software versions prior to 5.11.0, NAS attributes were inconsistent:
- Outside the TTLS tunnel: only
NAS-Identifier - Inside the TTLS tunnel:
NAS-Identifier+NAS-IP-Address
This behavior could result in:
- Inconsistent RADIUS logs
- Policy mismatches
- Integration challenges with strict AAA or billing systems
Behavior in 5.11.0 and Later
With the new feature, NAS identification is consistent and configurable, both inside and outside the TTLS tunnel.
Outside the TTLS tunnel:
Access-Request packet from host 10.1.11.71 port 58107, id=54, length=278
User-Name = "anonymous@cambiumnetworks.com"
NAS-Identifier = "E4600_4x4"
Called-Station-Id = "BC-E6-7C-F0-0A-E2:E6K_4x4_f00ae1_CS"
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Calling-Station-Id = "BC-E6-7C-F0-0C-A4"
….
Framed-MTU = 1400
Inside the TTLS tunnel:
eap_ttls: Sending tunneled request
Virtual server inner-tunnel received request
User-Name = "cambium-sm"
….
FreeRADIUS-Proxied-To = 127.0.0.1
NAS-Identifier = "E4600_4x4"
Called-Station-Id = "BC-E6-7C-F0-0A-E2:E6K_4x4_f00ae1_CS"
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Calling-Station-Id = "BC-E6-7C-F0-0C-A4"
Connect-Info = "CONNECT 24Mbps 802.11a"
….
Framed-MTU = 1400
NAS-IP-Address = 10.1.11.81
With new feature you can choose in which format you want to get NAS Idenifier(IP/ID/Both)
Examples: RADIUS Access-Request Formats
1)ID only
Received Access-Request Id 5 from 10.10.10.1:47807 to 10.10.10.2:1812 length 266
User-Name = "anonymous@cambiumnetworks.com"
NAS-Identifier = "F400"
Called-Station-Id = "00-04-56-00-11-23:Cambium-AX"
...
2)IP only
Received Access-Request Id 5 from 10.10.10.1:45638 to 10.10.10.2:1812 length 259
User-Name = "anonymous@cambiumnetworks.com"
NAS-IP-Address = 192.168.0.1
Called-Station-Id = "00-04-56-00-11-23:Cambium-AX"
…
3)Both
Received Access-Request Id 10 from 10.10.10.1:44227 to 10.10.10.2:1812 length 401
User-Name = "anonymous@cambiumnetworks.com"
NAS-IP-Address = 192.168.0.1
NAS-Identifier = "F400"
Called-Station-Id = "00-04-56-00-11-23:Cambium-AX"
...
Key Benefits
- Consistent NAS identification inside and outside TTLS tunnels
- Improved compatibility with third-party RADIUS servers
- Cleaner RADIUS logs and easier troubleshooting
- Better support for IP-based and ID-based AAA policies
Recommendations
- Use Both for maximum compatibility or mixed-policy environments
- Use ID only for multi-AP or NATed deployments with strict naming conventions
- Use IP only for legacy AAA systems requiring NAS-IP-Address
- Always verify RADIUS policy behavior after upgrading to 5.11.0