dynamic-clients supporting CDIR entries in v3
Kev Pearce
email.me at kevp.com
Sat Sep 13 01:55:35 CEST 2014
Hi all,
It was previously mentioned on the list (by Arran) that:
> Just to note that adding IP ranges dynamically does work in v3.0.x.
> The check is then relaxed to ensure the src IP address is in the range
which was just added.
I'd really like to get his working.
So I've converted my config to v3, installed the release v3.0.4 and with
read_clients = no, I've setup my dynamic-clients server thus:
server vs3001 {
listen {
ipaddr = *
port = 3001
type = auth
}
client dynamic_all_3001 {
ipaddr = 0.0.0.0/0
dynamic_clients = dynamic_client_server
lifetime = 3600
}
...
}
server dynamic_client_server {
authorize {
if ("%{sql:SELECT nasname FROM nas WHERE udp_port =
%{Packet-Dst-Port} LIMIT 1}") {
update control {
FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
FreeRADIUS-Client-Shortname = "%{sql: SELECT nasname FROM
nas WHERE udp_port = %{Packet-Dst-Port} LIMIT 1}"
FreeRADIUS-Client-Secret = "%{sql: SELECT secret FROM nas
WHERE udp_port = %{Packet-Dst-Port} LIMIT 1}"
FreeRADIUS-Client-Virtual-Server = "%{sql: SELECT server
FROM nas WHERE udp_port = %{Packet-Dst-Port} LIMIT 1}"
FreeRADIUS-Client-NAS-Type = "other"
}
}
ok
}
}
With a nas table that looks like:
nasname secret server udp_port
==========================================
0.0.0.0/1, testing1 vs3001 3001
128.0.0.0/1 testing1 vs3001 3001
When I test from another host, I get:
Received Access-Request Id 8 from 10.0.0.2:48920 to 10.0.0.3:3001 length 86
server dynamic_client_server {
...
(0) EXPAND %{sql:SELECT nasname FROM nas WHERE udp_port = %{Packet-Dst-Port}
LIMIT 1}
(0) --> 128.0.0.0/1
...
(0) EXPAND %{Packet-Src-IP-Address}
(0) --> 10.0.0.2
(0) FreeRADIUS-Client-IP-Address = 10.0.0.2
...
(0) EXPAND %{sql: SELECT nasname FROM nas WHERE udp_port =
%{Packet-Dst-Port} LIMIT 1}
(0) --> 128.0.0.0/1
(0) FreeRADIUS-Client-Shortname = "128.0.0.0/1"
...
(0) EXPAND %{sql: SELECT secret FROM nas WHERE udp_port = %{Packet-Dst-Port}
LIMIT 1}
(0) --> testing1
(0) FreeRADIUS-Client-Secret = "testing1"
...
(0) EXPAND %{sql: SELECT server FROM nas WHERE udp_port = %{Packet-Dst-Port}
LIMIT 1}
(0) --> vs3001
(0) FreeRADIUS-Client-Virtual-Server = "vs3001"
(0) FreeRADIUS-Client-NAS-Type = 'other'
...
} # server dynamic_client_server
- Added client 10.0.0.2 with shared secret testing1
So it's adding the client by just its single source IP address, not the CIDR
network it gets from SQL.
This is backed up by radmin with:
radmin> show client list
0.0.0.0/0
10.0.0.2
So how do you setup the dynamic-clients server fields to load the CIDR
network entry?
They load perfectly with read_clients = yes, but not with dynamic-clients.
If I set FreeRADIUS-Client-IP-Address to anything other than the source IP
address of the packet (here it's set to nasname), I get an unknown client
error:
(0) EXPAND %{sql: SELECT nasname FROM nas WHERE udp_port =
%{Packet-Dst-Port} LIMIT 1}
(0) --> 128.0.0.0/1
(0) } # update control = fail
(0) } # if ("%{sql:SELECT nasname FROM nas WHERE udp_port =
%{Packet-Dst-Port} LIMIT 1}") = fail
(0) } # authorize = fail
} # server dynamic_client_server
Ignoring request to auth address * port 3001 as server vs3001 from unknown
client 10.0.0.2 port 58887 proto udp
But of course I was expecting that! :-)
Also, can or would it be would it be possible, for radmin to show the
virtual server that a client is associated with?
Cheers very much all, I'm so close to the final config I'm after!!!
Kev/.
More information about the Freeradius-Users
mailing list