Dynamic Clients

Phil Mayers p.mayers at imperial.ac.uk
Thu Aug 14 14:33:36 CEST 2014

On 14/08/14 13:04, Kev Pearce wrote:
>> If FreeRADIUS could do this, the packet parsing would have to be
>> two-pass - decode without authenticator (because you lack the
>> secret), extract NAS-IP-Address, find client/secret, then validate
>> authenticator / Message-Authenticator, and decide to drop or pass
>> and decrypt encrypted fields.
> But doesn't the rlm_raw module provide exactly this? The ability to
> get to payload attributes then use them to lookup the secret etc in
> the dynamic-client SQL request?

It's obviously possible, but currently that is not how FreeRADIUS works, 
so no, you can't currently key off NAS-IP-Address.

> For the user check nas-ip-address is natively available so the user
> lookup by nas-ip-address is easy.

Of course - auth processing happens after the packet is authenticated 
using the secret and decoded, so all attributes received are available.

> I also appreciate that the raw module is not official FR code.

There are presumably reasons for this.

More information about the Freeradius-Users mailing list