Dynamic Clients IP Best practice?

[Phil Mayers]

On 06/23/2011 08:24 PM, Brent Wilkinson wrote:
> I unfortunately have a large amount of hotspots that are behind dynamic
> ip’s. We have tried to get as many of them onto statics as possible but
> are having issues with that. After having read through a few dozen
> different threads and readmes does freeradius have something that has
> been put into place to address this?( I assume the answer is no or I
> glazed over while reading and missed the answer) .
>
> If there is no built in feature is there a best practice for this?

FreeRADIUS has the facility to dynamically create client entries; when a 
packet from an unknown client is received, a virtual packet is sent 
through a virtual server, and the reply is used to build a "client" 
statement.

See sites-available/dynamic-clients

Because you have the full capability of FreeRADIUS, including SQL/LDAP, 
scripts, perl/python modules etc. it should be easy to hook any access 
control system you want in; as long as you have some way to 
"authenticate" an IP really is a hotspot, or don't care about security ;o)

In all seriousness, something like IPSec/GRE is more secure than this. A 
better solution long-term would be radius-over-TLS, but it's dead 
certain your APs don't support it.