lifetime of dynamic clients

steve at comitcon.be steve at comitcon.be
Wed Oct 2 18:51:37 CEST 2013 

Dear Alan

see my comments below
> steve at comitcon.be wrote:
>> I have rebuild freeradius on debian 7.0. I have added rlm_raw and have a
>> working dynamic client configuration where I use Called_Station_ID to
>> authenticate / validate that a NAS is allowed to use this radius server.
>
>   That's not a recommended configuration.

1. FreeRadius lacks the ability to actually run Nas's behind a link with a
dynamic IP. Although not recommended, this software does not support a
proper way of dealing with this.

>
>> I wait for a couple of minutes
>> and I executed the following command of client A:
>>  echo "NAS-IP-Address=10.1.2.236,
>> Called-Station-Id=00:40:96:aa:bb:cc,User-Name='testradius',User-Password='test',"
>> | radclient -c '1' -n '3' -r '3' -t '3' -x '46.18.36.232:1812' 'auth'
>> 'mysecret'
>>
>> This has a faulty Called-Station-Id in it. I would assume that it would
>> not allow me to connect. But this appears to still work.

This is indeed a fake. I have added this in mysql in the nas table under
the field community (described in ify /yfi setup). The connection actually
works. I can (ab)use this field as much as desired
>
>   Of course.  RADIUS depends on IP addresses, not on Called-Station-Id.
>  This is documented in the "dynamic_clients" configuration.  Right at
> the top of the virtual server.

Yes, I have read the documentation (multiple sources, google etc...) I was
just wondering what happens when you use the raw module.
>
>> I am wondering
>> - The first time the IP address of client A is added to the list of
>> known
>> client
>> - So the second time , it will check first in the list if the IP is
>> known,
>> if so it won't go checking using the process defined in dynamic clients?
>
>   That's what the documentation says.

Again, yep, read the docs... It is also stated in the yfi docs in the
remarks below their dynamic client section.

>
>> But no matter how long I wait, it appears that the cache if not cleared.
>>
>> I have added a lifetime of 60 in the dynamic client conf, so I would
>> assume that if I wait for a minute, the IP of client A would not be
>> known,
>> and it would go through checking again.
>
>   That's how it works.
>
>> Am I wrong in this? If not can I read the cache to find out why it is
>> keeping that record?
>
>   You can use "radmin" to query the server about a client.  It won't
> show you the lifetime of that client.  But it will show you if the
> client still exists.
>
Is a client defined by a NAS or a user? Because I need to figure out how
or when the dynamic client is remove from the cache?
>   And as always, run the server in debugging more.  READ the output.  It
> tells you exactly what's going on, and why.
>

The output shows indeed when it goes through the the dynamic server
section and once it is authenticated it only runs through the default
(which is understandable)

Steve
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list