lifetime of dynamic clients

Alan DeKok aland at deployingradius.com
Wed Oct 2 17:07:04 CEST 2013


steve at comitcon.be wrote:
> I have rebuild freeradius on debian 7.0. I have added rlm_raw and have a
> working dynamic client configuration where I use Called_Station_ID to
> authenticate / validate that a NAS is allowed to use this radius server.

  That's not a recommended configuration.

> I wait for a couple of minutes
> and I executed the following command of client A:
>  echo "NAS-IP-Address=10.1.2.236,
> Called-Station-Id=00:40:96:aa:bb:cc,User-Name='testradius',User-Password='test',"
> | radclient -c '1' -n '3' -r '3' -t '3' -x '46.18.36.232:1812' 'auth'
> 'mysecret'
> 
> This has a faulty Called-Station-Id in it. I would assume that it would
> not allow me to connect. But this appears to still work.

  Of course.  RADIUS depends on IP addresses, not on Called-Station-Id.
 This is documented in the "dynamic_clients" configuration.  Right at
the top of the virtual server.

> I am wondering
> - The first time the IP address of client A is added to the list of known
> client
> - So the second time , it will check first in the list if the IP is known,
> if so it won't go checking using the process defined in dynamic clients?

  That's what the documentation says.

> But no matter how long I wait, it appears that the cache if not cleared.
> 
> I have added a lifetime of 60 in the dynamic client conf, so I would
> assume that if I wait for a minute, the IP of client A would not be known,
> and it would go through checking again.

  That's how it works.

> Am I wrong in this? If not can I read the cache to find out why it is
> keeping that record?

  You can use "radmin" to query the server about a client.  It won't
show you the lifetime of that client.  But it will show you if the
client still exists.

  And as always, run the server in debugging more.  READ the output.  It
tells you exactly what's going on, and why.

  Alan DeKok.


More information about the Freeradius-Users mailing list