Dynamic Clients

Kev Pearce email.me at kevp.com
Thu Aug 14 13:48:42 CEST 2014


Thanks for the comments Alan.

I can lookup clients in my nas table by NAS-IP-Address just fine, I get that
bit but I can't get FR to 'cache' the reply (and therefore process the
request as accepted) as it always ends up referring (keying) to the source
IP address.

> - Cannot add client 192.168.26.119: IP address 10.10.10.10 do not match

What I need FR to do is to see the packet as coming from the NAS-IP-Address
field, in this example 10.10.10.10 so it does match the reply from the sql
nas table query.
The source IP of the radius packet here is 192.168.26.119 and I need FR to
use 10.10.10.10 instead, in this example.
I can't see how to set FR up to do this, to me this is more than just
dynamic-clients setup, it more fundamental to the way FR clients works.
I wondered if there was anything I could change in configure?

> It's really about security.  If you need random clients connecting to your
server, you should be using RADIUS over TLS.

RADIUS over TLS is for my next workstream, for now I'd like to get FR
working nice and simple (for the users anyway!) with NAS-IP-Address and
secrets per NAS.

Or is the only answer to the keying of NAS-IP-Address (which is just the
original IP address of the packet before the source IP is NATted over the
internet) actually TLS...
Does FR see the original source IP address of the NAS as the source IP of
the packet, once the TLS is unwrapped?

> Because you told it to look up the client as dynamic.  What else did you
expect?

Thank you, that confirms a few things (longest netmask wins, just like IP
routing) and I now have a plan B that I've tested and works great.

Cheers very much once again,

Kev/.





More information about the Freeradius-Users mailing list