freeradius and IdenticalClients

Fajar A. Nugraha list at fajar.net
Thu Jun 30 09:47:33 CEST 2011


On Thu, Jun 30, 2011 at 2:11 PM, Franz Angeli <franz.angeli at gmail.com> wrote:
> Hi
> i'm trying to migrate my radiator server to freeradius, i have to use
> something like "IdenticalClients" on radiator:
>

No exact match that I know of

>
> # TEST
> <Client 10.1.131.1>
>    # Specifies a list of other clients that have an identical setup.
>    # You can use this parameter to avoid having to create separate
>    # Client clauses for lots of otherwise identical clients
>    IdenticalClients X.X.X.X Y.Y.Y.Y Z.Z.Z.Z

FR allows you to specify something like this on clients.conf

X.X.X.0/24 using ipaddr and netmask

>
>    # Secret is the shared secret between client and this server
>    # Any number of characters, any character except newline
>    # You must set a secret in every Client clause.
>    Secret  somesecret

There's a "secret" directive for every client

>
>    # Use this to set a default realm for requests that dont
>    # already have one. This can trigger a specific Realm
>    # statement for users who log in to this NAS without a
>    # realm
>    DefaultRealm FQDN

The closest one to this would be
        #  As of 2.0, clients can also be tied to a virtual server.
        #  This is done by setting the "virtual_server" configuration
        #  item, as in the example below.
        #
#       virtual_server = home1


> </Client>
>
>
> can i replicate this configuration on freeradius?


As an alternative to using clients.conf, you could store NAS definiton
on a db. From sql.conf:

        # Set to 'yes' to read radius clients from the database ('nas' table)
        # Clients will ONLY be read on server startup.  For performance
        # and security reasons, finding clients via SQL queries CANNOT
        # be done "live" while the server is running.
        #
        #readclients = yes

        # Table to keep radius client info
        nas_table = "nas"


and from sql/mysql/dialup.conf

        #######################################################################
        #  NAS Query
        #######################################################################
        #  This query retrieves the radius clients
        #
        #  0. Row ID (currently unused)
        #  1. Name (or IP address)
        #  2. Shortname
        #  3. Type
        #  4. Secret
        #  5. Server
        #######################################################################

        nas_query = "SELECT id, nasname, shortname, type, secret,
server FROM ${nas_table}"

Also read sql/mysql/nas.sql for the default scheme.

Notice the default nas_query and scheme? It's customizable.
If you modify the default schema and the query, it's possible to (for example):
- create a table called "nasgroup" which holds values for a group of nas
- create a table called "nasmembership" which has nas IP to group mapping
- change the query to a join.

That way you can have something that functions similar to
IdenticalClients, in that you only need to specify nas attributes
(secret dll) once for a certain nas group, and it will be applied to
all nas in that group.

-- 
Fajar




More information about the Freeradius-Users mailing list