Skip to main content
NAS devices are the network devices that send RADIUS authentication requests to Altostrat. In the UI, this includes routers, switches, access points, VPN gateways, firewalls, wireless controllers, and other RADIUS-capable clients.

Prerequisites

Before you register a device, confirm that:
  • The network device can be configured as a RADIUS or RadSec client.
  • You know the device identifier you want operators to recognize in logs.
  • The device can reach the RADIUS service values shown in its device detail page.
  • You have access to upload certificates or configure RadSec when using secure transport.
  • If you use CoA or PoD, the device can accept control messages from the source address and secret shown in the UI.

Add A Device

1

Open Devices

In the RADIUS app, open Settings and select Devices.
2

Create a NAS device

Enter the device name or NAS identifier, choose the device type, and add an optional description.
3

Choose auto registration

Enable auto user registration only if unknown users should be created automatically. Select a default group when those users should inherit policy immediately.
4

Configure CoA and PoD when needed

Enable CoA and PoD replies if you want RADIUS to disconnect users or send change-of-authorization messages.
5

Save and open the device

After saving, open the device detail page to copy RadSec values and download certificates.

Device Fields

FieldPurpose
Device name or NAS identifierThe identifier shown in device lists, logs, and dashboards.
DescriptionOperator-facing context for the device.
Device typeRouter, switch, access point, VPN gateway, firewall, wireless controller, or other.
Auto user registrationAllows the device flow to create users automatically when enabled.
Auto registration groupOptional group assigned to automatically registered users.
CoA and PoD repliesEnables disconnect and change-of-authorization behavior.
NAS IP addressDevice address used for CoA and PoD replies.
NAS inbound portDevice port for CoA and PoD replies. The UI defaults to 3799.
SecretShared secret used for CoA and PoD replies.
MetadataCustom operational fields for this device.

RadSec Configuration

The device detail page shows the current RadSec configuration and certificate downloads. Use the values shown there when configuring the NAS. The UI currently displays:
  • FQDN: aaa.altostrat.io
  • IP addresses: 75.2.67.221, 166.117.188.111
  • Port: 2083
  • NAS certificate download.
  • Client CA certificate download.
  • NAS private key download.
Use the values shown on the live device page if they differ from this documentation. Network service endpoints can be updated over time, and the device page is the operator source of truth.
RadSec uses mutual TLS. The NAS certificate identifies the workspace, organization, and NAS device, and the RadSec edge binds traffic to that registered identity. That means logs and authorization use the trusted NAS identity from the certificate rather than trusting a mutable NAS-Identifier supplied by the device. Use one certificate set per NAS device. Reusing certificate material across routers, access points, or controllers makes logs harder to trust and weakens device-level isolation.

Auto Registration

Auto registration is useful for MAC-based access flows where the NAS sends a Calling-Station-Id or a MAC-like username and you want unknown devices to become users automatically. When auto registration is enabled on the NAS:
  • Unknown MAC-based users can be created automatically.
  • The username is normalized from the MAC address.
  • The user can be assigned to the selected auto-registration group.
  • The user starts active unless your operating process changes status after creation.
  • The user is linked to the NAS that created it through metadata.
Only enable auto registration on NAS devices where this behavior is intentional. For ordinary username/password access, leave it disabled and create users through the normal user workflow or bulk import.

CoA And PoD

Enable CoA and PoD replies when you need session control, such as manual disconnects or authorization changes. The UI collects:
  • NAS IP address.
  • NAS inbound port.
  • CoA and PoD secret.
The device dashboard also displays the message source address for control messages. The current UI shows 18.214.81.214 as the source address and 3799 as the default inbound port. Configure the NAS to accept CoA and PoD traffic from the values shown in the device page. For the full dynamic authorization workflow, see CoA and PoD.

Device Dashboard

Open a device to view:
  • Authentication logs for that NAS.
  • Log status, execution time, user, container, IP address, and timestamp.
  • Total requests.
  • Success rate.
  • Active sessions.
  • Reject count.
  • RadSec configuration values.
  • Certificate, CA, and private key downloads.
  • CoA and PoD settings.
  • Metadata and shortcuts.
Use the device dashboard when you are troubleshooting a specific router, access point, VPN gateway, or controller. It is faster than filtering global logs when you already know which NAS sent the request.

Delete A Device

Deleting a NAS device removes it from the RADIUS configuration. Existing authentication from that device will stop working once the device no longer matches an active RADIUS client configuration. Before deleting, confirm:
  • The device is decommissioned or replaced.
  • No active users depend on it.
  • You have exported or copied any certificate material you still need for migration.
  • Recent logs do not show unexpected authentication traffic.