Following on from my previous post on Centralised LDAP Auth post: <a href="http://lists.freeradius.org/pipermail/freeradius-users/2010-September/msg00393.html">http://lists.freeradius.org/pipermail/freeradius-users/2010-September/msg00393.html</a><br>
<br>I've found that using dynamic-clients gives me a few advantages over using huntgroups.<br><br>1) Dynamic Clients allows you to have per-NAS shared secrets stored in LDAP (or SQL) instead of having a whole network with the same shared secret. This way you have better pseudo security by being able to set a password for each individual NAS element.<br>
2) Reduced LDAP queries due to dynamic-client's caching of the query results. This is also helps to reduce one extra query against the LDAP database since the client is cached in radiusd's memory.<br><br>So to set it up it's the same configuration as specified in the above post, with the following differences:<br>
<br>Element Setup: It's the same apart from now you need to add a second value to each element for the Shared Secret password. In the below cases I use the "ou" or Department attribute.<br><br>---<br>OU=Elements,OU=Radius,DC=ACME,DC=COM<br>
Elements will hold a record of every NAS in your Network. You will create Group objects based on the IP Address of the NAS and set the "Location" or "l" attribute to the NAS Huntgroup the NAS belongs to allow them to be centrally managed in LDAP.<br>
IE<br>CN=10.1.2.3,OU=Elements,OU=Radius,DC=ACME,DC=COM<br>With a "l" value of "CiscoRTR" for a Cisco Router that has a NAS-IP-Address or Source-IP-Address of 10.1.2.3. This will make more sense further on.<br>
And with a "ou" value of the shared secret password for the NAS element. ie "password"<br>---<br><br>FILE:/etc/raddb/clients.conf<br>- Don't need to make any changes into this file anymore.<br><br>
With the default config you will need to copy or symlink the dynamic-clients file into the sites-enabled directory. The easist way is to symlink:<br><br>cd etc/raddb/sites-enabled<br>ln -s ../sites-available/dynamic-clients dynamic-clients<br>
<br>Now modify the dynamic-clients file:<br>FILE: /etc/raddb/sites-available/dynamic-clients <br>client dynamic {<br> #Include all IP's in the Dynamic Clients range<br> ipaddr = 0.0.0.0<br> netmask = 0<br>
dynamic_clients = dynamic_client_server<br> lifetime = 86400<br>}<br><br>server dynamic_client_server {<br>authorize {<br>#Do a ldap lookup in the elements OU, check to see if the Packet-Src-IP-Address object has a "ou" attribute, if it does continue.<br>
if ("%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?ou?sub?cn=%{Packet-Src-IP-Address}}") {<br>update control {<br>FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"<br>#Set the Client-Shortname to be the Location "l" just like in the Huntgroups, but this time to the shortname.<br>
FreeRADIUS-Client-Shortname = "%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?l?sub?cn=%{Packet-Src-IP-Address}}"<br>#NAS Type can't be used so no point in including it.<br>#FreeRADIUS-Client-NAS-Type = "%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?o?sub?cn=%{Packet-Src-IP-Address}}"<br>
#Lookup and set the Shared Secret based on the "ou" attribute.<br>FreeRADIUS-Client-Secret = "%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?ou?sub?cn=%{Packet-Src-IP-Address}}"<br>}<br>}<br>ok<br>
}<br>}<br>----- END<br><br>FILE:/etc/raddb/sites-enabled/default<br><br>Instead of setting the Huntgroup, set the FreeRadius Client Name, so change:<br><br> update request {<br> Huntgroup-Name := "%{ldap:ldap:///ou=Elements,ou=Radius,DC=ACME,DC=COM?l?sub?cn=%{Packet-Src-IP-Address}}"<br>
}<br><br>with<br><br> update request {<br> Client-Shortname := "%{Client-Shortname}"<br> }<br><br>So that Client-Shortname is available in this virtual server and make all the same changes in the default file as per the above post.<br>
<br>Now lastly the changes in the users file to perform the lookup.<br><br>Change:<br><br>DEFAULT Huntgroup-Name == Junipers, Ldap-Group == "cn=JuniperAdmin,ou=Roles,ou=Radius,DC=ACME,DC=COM"<br><br>With<br><br>
DEFAULT Client-Shortname == Junipers, Ldap-Group == "cn=JuniperAdmin,ou=Roles,ou=Radius,DC=ACME,DC=COM"<br>
<br>And all the same settings as per the previous post.<br><br>This way you still have the advantages of per-NAS authentication, and now you can also set passwords per-NAS, and less un-necessary traffic to the LDAP server.<br>
<br>A win win all around.<br><br>Alan, do you want me to turn this into a Wiki entry???<br>