clients.conf - identifying a "client" - sql/ldap
Johan Meiring
jmeiring at pcservices.co.za
Wed Aug 20 13:08:07 CEST 2008
>
> Johan Meiring wrote:
> >> Is there any way to handle clients with dynamic IPs, and use
> >> the NAS-Identifier and radius secret to allow/disallow the NAS?
>
> The current git tree has functionality that should do this. See
> git.freeradius.org, and read raddb/sites-available/dynamic-clients.
>
> The idea is to define the network 0.0.0.0/0 as you do now, and then
> dynamically create the "client" definition the first time the server
> receives a packet from that client. You can use "unlang" to check the
> NAS-Identifier, and then define a shared secret for that NAS.
>
> There are limitations, of course. See the configuration
> file for details.
Hi Alan,
I seems exactly what I want, but....
I'm getting there but not quite.
Using the sites-available as an example I created the following:
A Virtual Server with a authorize section that will create the client.
Tested working using static info.
-----------------------
server dymamic_nas {
authorize {
update control {
FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
FreeRADIUS-Client-Require-MA = no
FreeRADIUS-Client-Secret = "test-secret"
FreeRADIUS-Client-Shortname = "%{Packet-Src-IP-Address}"
FreeRADIUS-Client-NAS-Type = "other"
FreeRADIUS-Client-Virtual-Server = "hotspot"
}
ok
}
}
------------------------
Works perfectly.
No I replace the "static info" above with a SQL query, again using the
example
-------------------------------------------------------------
server dymamic_nas {
authorize {
if ("%{sql: select NasID from Nas where
Identifier='%{NAS-Identifier}'}") {
update control {
FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
FreeRADIUS-Client-Require-MA = no
FreeRADIUS-Client-Secret = "%{sql: select RadiusSecret from Nas
where Identifier='%{NAS-Identifier}'}"
FreeRADIUS-Client-Shortname = "%{NAS-Identifier}"
FreeRADIUS-Client-NAS-Type = "other"
FreeRADIUS-Client-Virtual-Server = "hotspot"
}
ok
}
}
}
-------------------------------------------------------------
The problem is that %{NAS-Identifier} expands to nothing.
This seems to be confirmed by the documentation.
-------------------------------------------------------------
# The request that is processed through this section
# is EMPTY. There are NO attributes. The request is fake,
# and is NOT the packet that triggered the lookup of
# the dynamic client.
#
# The ONLY piece of useful information is either
#
# Packet-Src-IP-Address (IPv4 clients)
# Packet-Src-IPv6-Address (IPv6 clients)
-------------------------------------------------------------
The documentation however mentions that I can somehow get hold
of the NAS-Identifier and use it to set the "shared secret".
-------------------------------------------------------------
# You can use any policy here. e.g. Check NAS-Identifier,
# and define a shared secret by NAS-Identifier, rather than
-------------------------------------------------------------
How do I get hold of the NAS-Identifier in order to find the required
secret.
Thanks!!!
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list