lifetime of dynamic clients

steve at comitcon.be steve at comitcon.be
Wed Oct 2 16:36:28 CEST 2013


Dear all,

I have rebuild freeradius on debian 7.0. I have added rlm_raw and have a
working dynamic client configuration where I use Called_Station_ID to
authenticate / validate that a NAS is allowed to use this radius server.

I test using the following command on client A
 echo "NAS-IP-Address=10.1.2.236,
Called-Station-Id=00:40:96:aa:bb:ee,User-Name='testradius',User-Password='test',"
| radclient -c '1' -n '3' -r '3' -t '3' -x '46.18.36.232:1812' 'auth'
'mysecret'

I can see in the logs that is is checking the first time I log on and it
is properly giving the message
adding client xxx.xxx.xxx.xxx with shared secret.

Now, when I executed the same command on a different machine Client B, it
runs through it again. (Same command, I only had 1 nas added to it ) It
adds the new 'client' to the dynamic clients.

I wait for a couple of minutes
and I executed the following command of client A:
 echo "NAS-IP-Address=10.1.2.236,
Called-Station-Id=00:40:96:aa:bb:cc,User-Name='testradius',User-Password='test',"
| radclient -c '1' -n '3' -r '3' -t '3' -x '46.18.36.232:1812' 'auth'
'mysecret'

This has a faulty Called-Station-Id in it. I would assume that it would
not allow me to connect. But this appears to still work.

I am wondering
- The first time the IP address of client A is added to the list of known
client
- So the second time , it will check first in the list if the IP is known,
if so it won't go checking using the process defined in dynamic clients?

But no matter how long I wait, it appears that the cache if not cleared.

I have added a lifetime of 60 in the dynamic client conf, so I would
assume that if I wait for a minute, the IP of client A would not be known,
and it would go through checking again.
Am I wrong in this? If not can I read the cache to find out why it is
keeping that record?

Kind regards

Steve




More information about the Freeradius-Users mailing list