lifetime of dynamic clients
Alan DeKok
aland at deployingradius.com
Wed Oct 2 19:53:04 CEST 2013
> 1. FreeRadius lacks the ability to actually run Nas's behind a link with a
> dynamic IP. Although not recommended, this software does not support a
> proper way of dealing with this.
Nonsense. This is a fundamental limitation of the RADIUS protocol.
If you want to use dynamic IPs, use a VPN, or TLS (RFC 6614)
> This is indeed a fake. I have added this in mysql in the nas table under
> the field community (described in ify /yfi setup). The connection actually
> works. I can (ab)use this field as much as desired
Because RADIUS depends on source IP.
>> Of course. RADIUS depends on IP addresses, not on Called-Station-Id.
>> This is documented in the "dynamic_clients" configuration. Right at
>> the top of the virtual server.
>
> Yes, I have read the documentation (multiple sources, google etc...) I was
> just wondering what happens when you use the raw module.
It's not distributed with the server. So it's not a supported module.
And no, I don't use it.
And no, you haven't read the documentation. The files I mentioned
*clearly* states that the dynamic clients use and cache the source IP.
They say NOTHING about checking the Called-Station-Id for each packet.
> Is a client defined by a NAS or a user?
RADIUS clients are defined by source IP. The documentation you
allegedly read makes this clear. So there's no need to ask the above
question... because the documentation already answers it.
> The output shows indeed when it goes through the the dynamic server
> section and once it is authenticated it only runs through the default
> (which is understandable)
So... *nothing* else in the debug output is useful to you.
I guess you've read it as carefully as you've read the documentation.
Alan DeKok.
More information about the Freeradius-Users
mailing list