lifetime of dynamic clients
steve at comitcon.be
steve at comitcon.be
Wed Oct 2 20:06:23 CEST 2013
Alan
first of all thank you for replying although I must sense quite some
hostility in your replies. On the other hand, I have read previous emails
coming from your end and this appears to be the way you respond.
Secondly I have read the documentation, but RTFM still appears to be the
common way of responding (even after using Linux for over 15 years).
Thirdly , the case below is a true real life situation, which does not
only occur only for me, but also for other. Even though the module is not
officially supported (maybe for the reason there are) it is in today's
world . You can decide, be a bernstein (like qmail) or adopt to a real
life situation. (Btw, if this was such uncommon, how come I find as many
question on it as there are. If YFI is actually supporting this, there
must be a need. Even if it is not meant like that.
Fourhtly, the issue I have has nothing to do with the whole running of
rlm_raw or any alike. Authentication works fine and as expected.
And yes I have read the statements on caching , what is used and even the
disclaimer that only the src ip is supported. So don't become patronising
that I didn't. I also scrobbled google for quite some time and I have read
the debug more than you can think. But guess what? If the only output
after authentication is
adding client xxx.xxx.xxx.xxx with shared secret
it does not state
a) lifetime
b) anything else usefull.
Now I am running radmin show client list and see the IP appear. I am now
testing when it disappear.
Please refrain from responding if it will only be a load of 'you did not
do this or that', while you have no clue on what I read or already have
done. If the response is coming to the basic question
"how can I check the lifetime of a dynamic client" feel free.
Elsewise, let's keep this clean for people willing to find the proper
solution.
Best regards
Steve
>> 1. FreeRadius lacks the ability to actually run Nas's behind a link with
>> a
>> dynamic IP. Although not recommended, this software does not support a
>> proper way of dealing with this.
>
> Nonsense. This is a fundamental limitation of the RADIUS protocol.
>
> If you want to use dynamic IPs, use a VPN, or TLS (RFC 6614)
>
>> This is indeed a fake. I have added this in mysql in the nas table under
>> the field community (described in ify /yfi setup). The connection
>> actually
>> works. I can (ab)use this field as much as desired
>
> Because RADIUS depends on source IP.
>
>>> Of course. RADIUS depends on IP addresses, not on Called-Station-Id.
>>> This is documented in the "dynamic_clients" configuration. Right at
>>> the top of the virtual server.
>>
>> Yes, I have read the documentation (multiple sources, google etc...) I
>> was
>> just wondering what happens when you use the raw module.
>
> It's not distributed with the server. So it's not a supported module.
> And no, I don't use it.
>
> And no, you haven't read the documentation. The files I mentioned
> *clearly* states that the dynamic clients use and cache the source IP.
> They say NOTHING about checking the Called-Station-Id for each packet.
>
>> Is a client defined by a NAS or a user?
>
> RADIUS clients are defined by source IP. The documentation you
> allegedly read makes this clear. So there's no need to ask the above
> question... because the documentation already answers it.
>
>> The output shows indeed when it goes through the the dynamic server
>> section and once it is authenticated it only runs through the default
>> (which is understandable)
>
> So... *nothing* else in the debug output is useful to you.
>
> I guess you've read it as carefully as you've read the documentation.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list