Dynamic Clients

Alan DeKok aland at deployingradius.com
Thu Aug 14 11:48:33 CEST 2014 

Kev Pearce wrote:
> I've spent many hours now trying to get dynamics clients working the way
> I would like them too.

  Read raddb/sites-available/dynamic-clients.  This is extensively
documented.

> 1) Is it possible to 'key' all clients by the NAS-IP-Address field
> rather than the source IP address field?

  Not really, no.  But... if you read the file I mentioned above, you
can create a client based on anything you want.

> I do appreciate that RFC2865 states that is MUST NOT be used, but that
> was back in 2000, when Cloud and SaaS hosting didn't exist.

  It's really about security.  If you need random clients connecting to
your server, you should be using RADIUS over TLS.

> 2) Can Dynamics Clients also be keyed by NAS-IP-Address (naturally
> linked to q1)?

  See above.

> I've built my freeradius with the raw module and can do all the dynamic
> clients SQL queries using NAS-IP-Address fine, BUT freeradius refuses to
> cache the client secret with the message:

> - Cannot add client 192.168.26.119: IP address 10.10.10.10 do not match

  The packet came from 192.168.26.119, and you're telling the server to
add a client with IP 10.10.10.10.  That doesn't make sense.

> 3) Can a dynamic client set to match 0.0.0.0/0, support loading a
> 0.0.0.0/0 client from sql on start up?

  No.

> If I have a client defined in my nas table with the nasname 0.0.0.0/0, I
> get the following message on start up:
..
> Failed to add duplicate client All

  Then you have two clients defined, using the same IPs.  Don't do that.

> I've tested having 0.0.0.0/1 and 128.0.0.0/1 as two separate clients
> pointing to one dynamic clients virtual server, like this:

  You can just use 0.0.0.0/0.

> But then when I try a radtest (now using normal source address matching)
> the client still gets looked up by the dynamic client, even though this
> 'All' entry should match any v4 IP address:

  Because you told it to look up the client as dynamic.  What else did
you expect?

> client dynamic_bottom {
>     ipaddr = 0.0.0.0
>     netmask = 1
>     dynamic_clients = dynamic_client_server
>     lifetime = 3600
> }

  That is a dynamic client.  If you don't want a dynamic client, just do:

client all {
    ipaddr = 0.0.0.0
    netmask = 0
    secret = testing123
}

  i.e. create a normal client definition.

> Is it possible to 'see' the list of know clients within freeradius when
> it is running, be them loaded at start up or learned by dynamic_clients?

  See radmin.  You can query the list of known clients.

> 4) Do dynamic clients support network address range client definition
> lookups in sql, i.e. nasname = 192.168.1.0/24?

  No.  Dynamic clients are specific to one IP.

  Alan DeKok.

More information about the Freeradius-Users mailing list