<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
mso-fareast-language:EN-US;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-GB link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>Hi all,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I've spent many hours now trying to get dynamics clients working the way I would like them too.<o:p></o:p></p><p class=MsoNormal>But I've now got to the point where I need to reach out to the list for help.<o:p></o:p></p><p class=MsoNormal>I appreciate this is a long email with a lot of questions but I have worked hard to get this working myself... I just need some pointers now...<o:p></o:p></p><p class=MsoNormal>I'm running freeradius 2.2.5 on Ubuntu 14.04 with MySQL 5.5<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thank you very much all for all your help,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Kev/.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Deep breath...<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>1) Is it possible to 'key' all clients by the NAS-IP-Address field rather than the source IP address field?<o:p></o:p></p><p class=MsoNormal>I do appreciate that RFC2865 states that is MUST NOT be used, but that was back in 2000, when Cloud and SaaS hosting didn't exist.<o:p></o:p></p><p class=MsoNormal>Being how flexible freeradius is, I was wondering if this would be possible or has been done before.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>2) Can Dynamics Clients also be keyed by NAS-IP-Address (naturally linked to q1)?<o:p></o:p></p><p class=MsoNormal>I've built my freeradius with the raw module and can do all the dynamic clients SQL queries using NAS-IP-Address fine, BUT freeradius refuses to cache the client secret with the message:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>rad_recv: Access-Request packet from host 192.168.26.119 port 37350, id=43, length=86<o:p></o:p></p><p class=MsoNormal>server dynamic_client_server {<o:p></o:p></p><p class=MsoNormal>rlm_raw: NAS-IP-Address = 10.10.10.10<o:p></o:p></p><p class=MsoNormal>rlm_sql (sql): Reserving sql socket id: 1<o:p></o:p></p><p class=MsoNormal>rlm_sql_mysql: query: SELECT secret FROM nas WHERE nas-ip-address='10.10.10.10'<o:p></o:p></p><p class=MsoNormal>rlm_sql (sql): Released sql socket id: 1<o:p></o:p></p><p class=MsoNormal>} # server dynamic_client_server<o:p></o:p></p><p class=MsoNormal>- Cannot add client 192.168.26.119: IP address 10.10.10.10 do not match<o:p></o:p></p><p class=MsoNormal>Ignoring request to authentication address * port 1812 from unknown client 192.168.26.119 port 37350<o:p></o:p></p><p class=MsoNormal>Ready to process requests.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>This happens when in my dynamic_clients update control, I have:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>FreeRADIUS-Client-IP-Address = "%{raw:NAS-IP-Address}"<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>All works great if I use the source IP address but I'd like to use NAS-IP-Address.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>3) Can a dynamic client set to match 0.0.0.0/0, support loading a 0.0.0.0/0 client from sql on start up?<o:p></o:p></p><p class=MsoNormal>If I have a client defined in my nas table with the nasname 0.0.0.0/0, I get the following message on start up:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>rlm_sql_mysql: query: SELECT id, nasname, shortname, type, secret, server FROM nas<o:p></o:p></p><p class=MsoNormal>rlm_sql (sql): Read entry nasname=0.0.0.0/0,shortname=All,secret=xxxxxxxx<o:p></o:p></p><p class=MsoNormal>rlm_sql (sql): Adding client 0.0.0.0 (All, server=<none>) to clients list<o:p></o:p></p><p class=MsoNormal>Failed to add duplicate client All<o:p></o:p></p><p class=MsoNormal>rlm_sql (sql): Released sql socket id: 4<o:p></o:p></p><p class=MsoNormal>rlm_sql (sql): Failed to add client 0.0.0.0 (All) to clients list. Maybe there's a duplicate?<o:p></o:p></p><p class=MsoNormal>Failed to load clients from SQL.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>This does of course tell me what the problem is but is there a way to have a 0.0.0.0/0 client?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I've tested having 0.0.0.0/1 and 128.0.0.0/1 as two separate clients pointing to one dynamic clients virtual server, like this:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>client dynamic_bottom {<o:p></o:p></p><p class=MsoNormal> ipaddr = 0.0.0.0<o:p></o:p></p><p class=MsoNormal> netmask = 1<o:p></o:p></p><p class=MsoNormal> dynamic_clients = dynamic_client_server<o:p></o:p></p><p class=MsoNormal> lifetime = 3600<o:p></o:p></p><p class=MsoNormal>}<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>client dynamic_top {<o:p></o:p></p><p class=MsoNormal> ipaddr = 128.0.0.0<o:p></o:p></p><p class=MsoNormal> netmask = 1<o:p></o:p></p><p class=MsoNormal> dynamic_clients = dynamic_client_server<o:p></o:p></p><p class=MsoNormal> lifetime = 3600<o:p></o:p></p><p class=MsoNormal>}<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>server dynamic_client_server {<o:p></o:p></p><p class=MsoNormal> authorize {<o:p></o:p></p><p class=MsoNormal> if ("%{sql:SELECT nasname FROM nas ...<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Now this does start up fine without error and reports:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>rlm_sql_mysql: query: SELECT id, nasname, shortname, type, secret, server FROM nas<o:p></o:p></p><p class=MsoNormal>rlm_sql (sql): Read entry nasname=0.0.0.0/0,shortname=All,secret=xxxxxxxx<o:p></o:p></p><p class=MsoNormal>rlm_sql (sql): Adding client 0.0.0.0 (All, server=<none>) to clients list<o:p></o:p></p><p class=MsoNormal>rlm_sql (sql): Released sql socket id: 4<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>But then when I try a radtest (now using normal source address matching) the client still gets looked up by the dynamic client, even though this 'All' entry should match any v4 IP address:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>rad_recv: Access-Request packet from host 192.168.26.119 port 44846, id=20, length=86<o:p></o:p></p><p class=MsoNormal>server dynamic_client_server {<o:p></o:p></p><p class=MsoNormal>rlm_raw: NAS-IP-Address = 10.10.10.10<o:p></o:p></p><p class=MsoNormal>rlm_raw: NAS-IP-Address = 10.10.10.10<o:p></o:p></p><p class=MsoNormal>rlm_sql (sql): Reserving sql socket id: 3<o:p></o:p></p><p class=MsoNormal>rlm_sql_mysql: query: SELECT nasname FROM nas ...<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Is the 'read nas list on start up' stripping the /netmask and only adding 0.0.0.0 as a single hots entry?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Is it possible to 'see' the list of know clients within freeradius when it is running, be them loaded at start up or learned by dynamic_clients?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>4) Do dynamic clients support network address range client definition lookups in sql, i.e. nasname = 192.168.1.0/24?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I've got my dynamic clients lookup sql queries working to find matching network entries when the request only has a single source IP address (using decimal ip address value comparisons and order by netmask sql queries), and the returned nasname from the sql entry to the dynamic client IS a network range but I think freeradius only caches it as a single host.<o:p></o:p></p><p class=MsoNormal>It works but I think it only adds the entry as a single host, when I try from a different host in the same subnet, I see another dynamic client sql lookup.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The documentation in dymanics_clients says you can do the same as you can with the normal clients file, which does support networks.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>