Authorising Clients by Calling Station ID Not IP

Johan Meiring jmeiring at pcservices.co.za
Tue Oct 25 11:45:45 CEST 2011


On 2011/10/24 09:06 PM, Jennyanydots Napoleon Shoehorn wrote:
> OH! I've looked too many lines of code over the last week.
> 
> I have no idea how to patch but will investigate. Was thinking we might have 
> to use nas-id instead.
> 
> The ultimate intention was to use the mac address of the nas and a nas 
> specific shared secret.
> 
> In your opinion, are there better ways to deal with dynamic clients?
> 
> Thanks again
> 


Hi,

I look up my clients using "dynamic clients" and Nas-Identifier.

You need a module that is not included by default called rlm_raw.
You can download a patch here:  http://www.sendspace.com/file/f91rqi

The last file wont apply cleanly to 2.1.12, just manually add rlm_raw to the "src/modules/stable" file.  (Look at the patch).

In your freeradius config, you need to "instantiate" rlm_raw.

/etc/freeradius/radiusd.conf
instantiate {
        raw
}

You need a module:
/etc/freeradius/modules/raw
raw {
}

My dynamic clients config:
/etc/freeradius/sites-available/my-dynamic-clients
client dymamic {
  ipaddr = 0.0.0.0
  netmask = 0
  dynamic_clients = dynamic_nas
  lifetime = 86400
}

server dynamic_nas {
  authorize {
    if ("%{sql: select count(*) from Nas where Identifier='%{raw:NAS-Identifier}'}" == "1") {
      update control {
        FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
        FreeRADIUS-Client-Require-MA = no
        FreeRADIUS-Client-Secret = "%{sql: select RadiusSecret from Nas where Identifier='%{raw:NAS-Identifier}' and NasTypeID=1}"
        FreeRADIUS-Client-Shortname = "%{Packet-Src-IP-Address}"
        FreeRADIUS-Client-NAS-Type = "other"
        FreeRADIUS-Client-Virtual-Server = "dynamic_server"
      }
      ok
    }
  }
}


Notes:
- "dynamic_server" is the spesific virtual server than handles the dynamic clients.
- the rlm_raw packet MIGHT contain Calling-Station-Id (or do you mean Called-Station-Id??) as well.  You will have to look.


Hope this helps.

Cheers,





-- 


Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782

--------------------
Before acting on this email or opening any attachments
you should read Cape PC Service's email disclaimer at:

http://www.pcservices.co.za/disclaimer.html




More information about the Freeradius-Users mailing list