clients.conf - identifying a "client" - sql/ldap

Johan Meiring jmeiring at pcservices.co.za
Wed Aug 20 13:08:07 CEST 2008


> 
> Johan Meiring wrote:
> >> Is there any way to handle clients with dynamic IPs, and use 
> >> the NAS-Identifier and radius secret to allow/disallow the NAS?
> 
>   The current git tree has functionality that should do this.  See
> git.freeradius.org, and read raddb/sites-available/dynamic-clients.
> 
>   The idea is to define the network 0.0.0.0/0 as you do now, and then
> dynamically create the "client" definition the first time the server
> receives a packet from that client.  You can use "unlang" to check the
> NAS-Identifier, and then define a shared secret for that NAS.
> 
>   There are limitations, of course.  See the configuration 
> file for details.

Hi Alan,

I seems exactly what I want, but....
I'm getting there but not quite.

Using the sites-available as an example I created the following:

A Virtual Server with a authorize section that will create the client.
Tested working using static info.

-----------------------
server dymamic_nas {
  authorize {
    update control {
      FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
      FreeRADIUS-Client-Require-MA = no
      FreeRADIUS-Client-Secret = "test-secret"
      FreeRADIUS-Client-Shortname = "%{Packet-Src-IP-Address}"
      FreeRADIUS-Client-NAS-Type = "other"
      FreeRADIUS-Client-Virtual-Server = "hotspot"
    }
    ok
  }
}
------------------------

Works perfectly.
No I replace the "static info" above with a SQL query, again using the
example

-------------------------------------------------------------
server dymamic_nas {
  authorize {
    if ("%{sql: select NasID from Nas where
Identifier='%{NAS-Identifier}'}") {
      update control {
        FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
        FreeRADIUS-Client-Require-MA = no
        FreeRADIUS-Client-Secret = "%{sql: select RadiusSecret from Nas
where Identifier='%{NAS-Identifier}'}"
        FreeRADIUS-Client-Shortname = "%{NAS-Identifier}"
        FreeRADIUS-Client-NAS-Type = "other"
        FreeRADIUS-Client-Virtual-Server = "hotspot"
      }
      ok
    }
  }
}
-------------------------------------------------------------

The problem is that %{NAS-Identifier} expands to nothing.
This seems to be confirmed by the documentation.

-------------------------------------------------------------
    # The request that is processed through this section
    # is EMPTY. There are NO attributes. The request is fake,
    # and is NOT the packet that triggered the lookup of
    # the dynamic client.
    #
    # The ONLY piece of useful information is either
    #
    #  Packet-Src-IP-Address (IPv4 clients)
    #  Packet-Src-IPv6-Address (IPv6 clients)
-------------------------------------------------------------

The documentation however mentions that I can somehow get hold 
of the NAS-Identifier and use it to set the "shared secret".

-------------------------------------------------------------
    # You can use any policy here. e.g. Check NAS-Identifier,
    # and define a shared secret by NAS-Identifier, rather than
-------------------------------------------------------------

How do I get hold of the NAS-Identifier in order to find the required
secret.

Thanks!!!


> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 




More information about the Freeradius-Users mailing list