Authorising Clients by Calling Station ID Not IP
Johan Meiring
jmeiring at pcservices.co.za
Tue Oct 25 11:45:45 CEST 2011
On 2011/10/24 09:06 PM, Jennyanydots Napoleon Shoehorn wrote:
> OH! I've looked too many lines of code over the last week.
>
> I have no idea how to patch but will investigate. Was thinking we might have
> to use nas-id instead.
>
> The ultimate intention was to use the mac address of the nas and a nas
> specific shared secret.
>
> In your opinion, are there better ways to deal with dynamic clients?
>
> Thanks again
>
Hi,
I look up my clients using "dynamic clients" and Nas-Identifier.
You need a module that is not included by default called rlm_raw.
You can download a patch here: http://www.sendspace.com/file/f91rqi
The last file wont apply cleanly to 2.1.12, just manually add rlm_raw to the "src/modules/stable" file. (Look at the patch).
In your freeradius config, you need to "instantiate" rlm_raw.
/etc/freeradius/radiusd.conf
instantiate {
raw
}
You need a module:
/etc/freeradius/modules/raw
raw {
}
My dynamic clients config:
/etc/freeradius/sites-available/my-dynamic-clients
client dymamic {
ipaddr = 0.0.0.0
netmask = 0
dynamic_clients = dynamic_nas
lifetime = 86400
}
server dynamic_nas {
authorize {
if ("%{sql: select count(*) from Nas where Identifier='%{raw:NAS-Identifier}'}" == "1") {
update control {
FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
FreeRADIUS-Client-Require-MA = no
FreeRADIUS-Client-Secret = "%{sql: select RadiusSecret from Nas where Identifier='%{raw:NAS-Identifier}' and NasTypeID=1}"
FreeRADIUS-Client-Shortname = "%{Packet-Src-IP-Address}"
FreeRADIUS-Client-NAS-Type = "other"
FreeRADIUS-Client-Virtual-Server = "dynamic_server"
}
ok
}
}
}
Notes:
- "dynamic_server" is the spesific virtual server than handles the dynamic clients.
- the rlm_raw packet MIGHT contain Calling-Station-Id (or do you mean Called-Station-Id??) as well. You will have to look.
Hope this helps.
Cheers,
--
Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782
--------------------
Before acting on this email or opening any attachments
you should read Cape PC Service's email disclaimer at:
http://www.pcservices.co.za/disclaimer.html
More information about the Freeradius-Users
mailing list