dynamic-clients supporting CDIR entries in v3
Kev Pearce
email.me at kevp.com
Mon Sep 15 16:03:33 CEST 2014
Hi All,
> It turns out that does work. Just set the prefix in the correct
attribute. Instead of using FreeRADIUS-Client-IP-Address, use:
> FreeRADIUS-Client-IP-Prefix = 1.2.3.0/24
So I had a go at testing this... what I have is my SQL database is for my
virtual server (vs3001) I have two entries: 128.0.0.0/1 and 0.0.0.0/1 both
with the same secret.
I have my dynamic_clients setup as 0.0.0.0/0.
I have a test machine with two interfaces, one in a 10.x subnet and one in a
192.x subnet.
This allows me to test both halves of my nas CIDR ranges.
When I test to the 192 address, all works fine, it adds the 128.0.0.0/1 CIDR
subnet perfect:
Received Access-Request Id 127 from 192.168.26.132:56120 to
192.168.26.131:3001 length 86
server dynamic_client_server {
...
(0) EXPAND %{sql: SELECT nasname FROM nas WHERE udp_port =
%{Packet-Dst-Port} AND INET_ATON('%{Packet-Src-IP-Address}') >= ip_dec_start
AND INET_ATON('%{Packet-Src-IP-Address}') <= ip_dec_end LIMIT 1}
(0) --> 128.0.0.0/1
(0) FreeRADIUS-Client-IP-Prefix = 128.0.0.0/1
...
(0) EXPAND %{sql: SELECT nasname FROM nas WHERE udp_port =
%{Packet-Dst-Port} AND INET_ATON('%{Packet-Src-IP-Address}') >= ip_dec_start
AND INET_ATON('%{Packet-Src-IP-Address}') <= ip_dec_end LIMIT 1}
(0) --> 128.0.0.0/1
(0) FreeRADIUS-Client-Shortname = "128.0.0.0/1"
...
(0) EXPAND %{sql: SELECT secret FROM nas WHERE udp_port = %{Packet-Dst-Port}
AND INET_ATON('%{Packet-Src-IP-Address}') >= ip_dec_start AND
INET_ATON('%{Packet-Src-IP-Address}') <= ip_dec_end LIMIT 1}
(0) --> testing1
(0) FreeRADIUS-Client-Secret = "testing1"
...
(0) EXPAND %{sql: SELECT server FROM nas WHERE udp_port = %{Packet-Dst-Port}
AND INET_ATON('%{Packet-Src-IP-Address}') >= ip_dec_start AND
INET_ATON('%{Packet-Src-IP-Address}') <= ip_dec_end LIMIT 1}
(0) --> vs3001
(0) FreeRADIUS-Client-Virtual-Server = "vs3001"
(0) FreeRADIUS-Client-NAS-Type = 'other'
(0) } # update control = noop
(0) } # if ("%{sql:SELECT nasname FROM nas WHERE udp_port =
%{Packet-Dst-Port} AND INET_ATON('%{Packet-Src-IP-Address}') >= ip_dec_start
AND INET_ATON('%{Packet-Src-IP-Address}') <= ip_dec_end LIMIT 1}") = noop
(0) [ok] = ok
(0) } # authorize = ok
} # server dynamic_client_server
- Added client 128.0.0.0 with shared secret testing1
Radmin also backs this up:
radmin> show client list
0.0.0.0/0
0.0.0.0/0
128.0.0.0/1
radmin>
But... when I connect from the 10 network (where it should match 0.0.0.0/1)
I get:
Received Access-Request Id 151 from 10.0.0.2:43792 to 10.0.0.3:3001 length
86
server dynamic_client_server {
...
(0) EXPAND %{sql: SELECT nasname FROM nas WHERE udp_port =
%{Packet-Dst-Port} AND INET_ATON('%{Packet-Src-IP-Address}') >= ip_dec_start
AND INET_ATON('%{Packet-Src-IP-Address}') <= ip_dec_end LIMIT 1}
(0) --> 0.0.0.0/1
(0) FreeRADIUS-Client-IP-Prefix = 0.0.0.0/1
...
(0) EXPAND %{sql: SELECT nasname FROM nas WHERE udp_port =
%{Packet-Dst-Port} AND INET_ATON('%{Packet-Src-IP-Address}') >= ip_dec_start
AND INET_ATON('%{Packet-Src-IP-Address}') <= ip_dec_end LIMIT 1}
(0) --> 0.0.0.0/1
(0) FreeRADIUS-Client-Shortname = "0.0.0.0/1"
...
(0) EXPAND %{sql: SELECT secret FROM nas WHERE udp_port = %{Packet-Dst-Port}
AND INET_ATON('%{Packet-Src-IP-Address}') >= ip_dec_start AND
INET_ATON('%{Packet-Src-IP-Address}') <= ip_dec_end LIMIT 1}
(0) --> testing1
(0) FreeRADIUS-Client-Secret = "testing1"
...
(0) EXPAND %{sql: SELECT server FROM nas WHERE udp_port = %{Packet-Dst-Port}
AND INET_ATON('%{Packet-Src-IP-Address}') >= ip_dec_start AND
INET_ATON('%{Packet-Src-IP-Address}') <= ip_dec_end LIMIT 1}
(0) --> vs3001
(0) FreeRADIUS-Client-Virtual-Server = "vs3001"
(0) FreeRADIUS-Client-NAS-Type = 'other'
(0) } # update control = noop
(0) } # if ("%{sql:SELECT nasname FROM nas WHERE udp_port =
%{Packet-Dst-Port} AND INET_ATON('%{Packet-Src-IP-Address}') >= ip_dec_start
AND INET_ATON('%{Packet-Src-IP-Address}') <= ip_dec_end LIMIT 1}") = noop
(0) [ok] = ok
(0) } # authorize = ok
} # server dynamic_client_server
Failed to add duplicate client 0.0.0.0/1
- Cannot add client 0.0.0.0: Internal error
Ignoring request to auth address * port 3001 as server vs3001 from unknown
client 10.0.0.2 port 43792 proto udp
It thinks it has a duplicate entry... which leads me to believe it's not
checking the mask, just comparing IP addresses.
I also noted the text that is output when the CIDR range is successfully
added only says the network id and not the CIDR mask.
Same with the Cannot add client message too.
When loading from SQL at start up this works great and adds both of my two
nas clients per virtual server (exactly what I'm after :-) ). But not when
it's done by dynamic clients, which I'm also after...
Any ideas as to how to get FR to dynamically learn the 0.0.0.0/1 without
complaining it's a duplicate of 0.0.0.0/0?
Or might this be considered a bug...?
Cheers very much
Kev/.
More information about the Freeradius-Users
mailing list