RE: clients.conf - identifying a "client" - sql/ldap
Hi all, Received no responses to the post below. Any ideas would be greatly appreciated! Thanks, Johan Meiring Cape PC Services CC / Amobia Communications Tel: (021) 883-8271 / (0861) AMOBIA Fax: (021) 886-7782 / (0861) AMOFAX
-----Original Message----- From: Johan Meiring [mailto:jmeiring@pcservices.co.za] Sent: 28 July 2008 11:55 AM To: 'freeradius-users@lists.freeradius.org' Subject: clients.conf - identifying a "client" - sql/ldap
Hi,
I have the following setup.
Various clients (chillispot) behind broadband (read: dynamic IP) connections. Basically I am selling AAA services.
I would like to authotize a nas to use my services in the first place by using the NAS-Identifier and the radius secret.
Both the NAS SQL table and the clients.conf file seem to identify the client by IP address.
As my clients can be from ANY address, it seems that the only way is to create an entry in clients.conf is as follows:
client 0.0.0.0/0 { shortname = myclient secret = abcde }
This now implies again that all clients have to have the same secret.
I am using the perl modules, but according to another post you cannot use perl as replacement for clients.conf. Also the sql nas table simply mimics the clients. (I.e. still uses IP address to find entry).
Is there any way to handle clients with dynamic IPs, and use the NAS-Identifier and radius secret to allow/disallow the NAS?
Thanks!
Cheers,
Johan Meiring Cape PC Services CC / Amobia Communications Tel: (021) 883-8271 / (0861) AMOBIA Fax: (021) 886-7782 / (0861) AMOFAX
Hi,
Hi all,
Received no responses to the post below.
its been answered countless times on the list before go a google or list archive search should help. basically, use either something like dyndns so you can use the DNS name etc to get started, or, better still, use eg 'openvpn' so the NAS uses a tunnel back to the RADIUS server(s) and therefore can be assigned the same IP as tunnel end-point giving you more control/flexibility alan
Johan Meiring wrote:
Is there any way to handle clients with dynamic IPs, and use the NAS-Identifier and radius secret to allow/disallow the NAS?
The current git tree has functionality that should do this. See git.freeradius.org, and read raddb/sites-available/dynamic-clients. The idea is to define the network 0.0.0.0/0 as you do now, and then dynamically create the "client" definition the first time the server receives a packet from that client. You can use "unlang" to check the NAS-Identifier, and then define a shared secret for that NAS. There are limitations, of course. See the configuration file for details. Alan DeKok.
Johan Meiring wrote:
Is there any way to handle clients with dynamic IPs, and use the NAS-Identifier and radius secret to allow/disallow the NAS?
The current git tree has functionality that should do this. See git.freeradius.org, and read raddb/sites-available/dynamic-clients.
The idea is to define the network 0.0.0.0/0 as you do now, and then dynamically create the "client" definition the first time the server receives a packet from that client. You can use "unlang" to check the NAS-Identifier, and then define a shared secret for that NAS.
There are limitations, of course. See the configuration file for details.
Hi Alan, I seems exactly what I want, but.... I'm getting there but not quite. Using the sites-available as an example I created the following: A Virtual Server with a authorize section that will create the client. Tested working using static info. ----------------------- server dymamic_nas { authorize { update control { FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}" FreeRADIUS-Client-Require-MA = no FreeRADIUS-Client-Secret = "test-secret" FreeRADIUS-Client-Shortname = "%{Packet-Src-IP-Address}" FreeRADIUS-Client-NAS-Type = "other" FreeRADIUS-Client-Virtual-Server = "hotspot" } ok } } ------------------------ Works perfectly. No I replace the "static info" above with a SQL query, again using the example ------------------------------------------------------------- server dymamic_nas { authorize { if ("%{sql: select NasID from Nas where Identifier='%{NAS-Identifier}'}") { update control { FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}" FreeRADIUS-Client-Require-MA = no FreeRADIUS-Client-Secret = "%{sql: select RadiusSecret from Nas where Identifier='%{NAS-Identifier}'}" FreeRADIUS-Client-Shortname = "%{NAS-Identifier}" FreeRADIUS-Client-NAS-Type = "other" FreeRADIUS-Client-Virtual-Server = "hotspot" } ok } } } ------------------------------------------------------------- The problem is that %{NAS-Identifier} expands to nothing. This seems to be confirmed by the documentation. ------------------------------------------------------------- # The request that is processed through this section # is EMPTY. There are NO attributes. The request is fake, # and is NOT the packet that triggered the lookup of # the dynamic client. # # The ONLY piece of useful information is either # # Packet-Src-IP-Address (IPv4 clients) # Packet-Src-IPv6-Address (IPv6 clients) ------------------------------------------------------------- The documentation however mentions that I can somehow get hold of the NAS-Identifier and use it to set the "shared secret". ------------------------------------------------------------- # You can use any policy here. e.g. Check NAS-Identifier, # and define a shared secret by NAS-Identifier, rather than ------------------------------------------------------------- How do I get hold of the NAS-Identifier in order to find the required secret. Thanks!!!
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Johan Meiring wrote:
Using the sites-available as an example I created the following:
A Virtual Server with a authorize section that will create the client. Tested working using static info. ... Works perfectly.
As designed.
No I replace the "static info" above with a SQL query, again using the example
------------------------------------------------------------- server dymamic_nas { authorize { if ("%{sql: select NasID from Nas where Identifier='%{NAS-Identifier}'}") {
OK...
The problem is that %{NAS-Identifier} expands to nothing. This seems to be confirmed by the documentation.
Ah... good point. Hmm... it's probably worth copying the NAS-Identifier to the fake packet. It's just useful enough to be worth it.
The documentation however mentions that I can somehow get hold of the NAS-Identifier and use it to set the "shared secret".
That's the intent, but the code doesn't match.
------------------------------------------------------------- # You can use any policy here. e.g. Check NAS-Identifier, # and define a shared secret by NAS-Identifier, rather than -------------------------------------------------------------
How do I get hold of the NAS-Identifier in order to find the required secret.
Give me a bit, and I'll go poke the code. Alan DeKok.
------------------------------------------------------------- # You can use any policy here. e.g. Check NAS-Identifier, # and define a shared secret by NAS-Identifier, rather than -------------------------------------------------------------
How do I get hold of the NAS-Identifier in order to find the required secret.
Give me a bit, and I'll go poke the code.
Alan, Realise you are trying to support the world!!! Have you had any luck with the poking ?? Thanks Johan
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Johan Meiring