Dynamic Clients

Kev Pearce email.me at kevp.com
Thu Aug 14 10:29:48 CEST 2014 

Hi all,

 

I've spent many hours now trying to get dynamics clients working the way I
would like them too.

But I've now got to the point where I need to reach out to the list for
help.

I appreciate this is a long email with a lot of questions but I have worked
hard to get this working myself... I just need some pointers now...

I'm running freeradius 2.2.5 on Ubuntu 14.04 with MySQL 5.5

 

Thank you very much all for all your help,

 

Kev/.

 

Deep breath...

 

 

1) Is it possible to 'key' all clients by the NAS-IP-Address field rather
than the source IP address field?

I do appreciate that RFC2865 states that is MUST NOT be used, but that was
back in 2000, when Cloud and SaaS hosting didn't exist.

Being how flexible freeradius is, I was wondering if this would be possible
or has been done before.

 

 

2) Can Dynamics Clients also be keyed by NAS-IP-Address (naturally linked to
q1)?

I've built my freeradius with the raw module and can do all the dynamic
clients SQL queries using NAS-IP-Address fine, BUT freeradius refuses to
cache the client secret with the message:

 

rad_recv: Access-Request packet from host 192.168.26.119 port 37350, id=43,
length=86

server dynamic_client_server {

rlm_raw: NAS-IP-Address = 10.10.10.10

rlm_sql (sql): Reserving sql socket id: 1

rlm_sql_mysql: query:   SELECT secret FROM nas WHERE
nas-ip-address='10.10.10.10'

rlm_sql (sql): Released sql socket id: 1

} # server dynamic_client_server

- Cannot add client 192.168.26.119: IP address 10.10.10.10 do not match

Ignoring request to authentication address * port 1812 from unknown client
192.168.26.119 port 37350

Ready to process requests.

 

This happens when in my dynamic_clients update control, I have:

 

FreeRADIUS-Client-IP-Address = "%{raw:NAS-IP-Address}"

 

All works great if I use the source IP address but I'd like to use
NAS-IP-Address.

 

 

3) Can a dynamic client set to match 0.0.0.0/0, support loading a 0.0.0.0/0
client from sql on start up?

If I have a client defined in my nas table with the nasname 0.0.0.0/0, I get
the following message on start up:

 

rlm_sql_mysql: query:  SELECT id, nasname, shortname, type, secret, server
FROM nas

rlm_sql (sql): Read entry nasname=0.0.0.0/0,shortname=All,secret=xxxxxxxx

rlm_sql (sql): Adding client 0.0.0.0 (All, server=<none>) to clients list

Failed to add duplicate client All

rlm_sql (sql): Released sql socket id: 4

rlm_sql (sql): Failed to add client 0.0.0.0 (All) to clients list.  Maybe
there's a duplicate?

Failed to load clients from SQL.

 

This does of course tell me what the problem is but is there a way to have a
0.0.0.0/0 client?

 

I've tested having 0.0.0.0/1 and 128.0.0.0/1 as two separate clients
pointing to one dynamic clients virtual server, like this:

 

client dynamic_bottom {

    ipaddr = 0.0.0.0

    netmask = 1

    dynamic_clients = dynamic_client_server

    lifetime = 3600

}

 

client dynamic_top {

    ipaddr = 128.0.0.0

    netmask = 1

    dynamic_clients = dynamic_client_server

    lifetime = 3600

}

 

server dynamic_client_server {

    authorize {

        if ("%{sql:SELECT nasname FROM nas ...

 

Now this does start up fine without error and reports:

 

rlm_sql_mysql: query:  SELECT id, nasname, shortname, type, secret, server
FROM nas

rlm_sql (sql): Read entry nasname=0.0.0.0/0,shortname=All,secret=xxxxxxxx

rlm_sql (sql): Adding client 0.0.0.0 (All, server=<none>) to clients list

rlm_sql (sql): Released sql socket id: 4

 

But then when I try a radtest (now using normal source address matching) the
client still gets looked up by the dynamic client, even though this 'All'
entry should match any v4 IP address:

 

rad_recv: Access-Request packet from host 192.168.26.119 port 44846, id=20,
length=86

server dynamic_client_server {

rlm_raw: NAS-IP-Address = 10.10.10.10

rlm_raw: NAS-IP-Address = 10.10.10.10

rlm_sql (sql): Reserving sql socket id: 3

rlm_sql_mysql: query:  SELECT nasname FROM nas ...

 

Is the 'read nas list on start up' stripping the /netmask and only adding
0.0.0.0 as a single hots entry?

 

Is it possible to 'see' the list of know clients within freeradius when it
is running, be them loaded at start up or learned by dynamic_clients?

 

 

4) Do dynamic clients support network address range client definition
lookups in sql, i.e. nasname = 192.168.1.0/24?

 

I've got my dynamic clients lookup sql queries working to find matching
network entries when the request only has a single source IP address (using
decimal ip address value comparisons and order by netmask sql queries), and
the returned nasname from the sql entry to the dynamic client IS a network
range but I think freeradius only caches it as a single host.

It works but I think it only adds the entry as a single host, when I try
from a different host in the same subnet, I see another dynamic client sql
lookup.

 

The documentation in dymanics_clients says you can do the same as you can
with the normal clients file, which does support networks.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140814/63b3aa02/attachment.html>

More information about the Freeradius-Users mailing list