RLM_Rest and Dynamic Clients

Alan DeKok aland at deployingradius.com
Fri Jul 17 14:31:47 CEST 2015 

On Jul 17, 2015, at 8:08 AM, Nick Cappelletti <nick at switchtower.com> wrote:
> Thanks for the response.   I’ve read over the dynamic clients a few times, and understand how reading from a file, reading from a DB, and how the LDAP integration works, but I’m still trying to grasp the concept of the REST integration and how to keep the number of requests down to a minimum.  With the LDAP and SQL integration, I know that to grab the FreeRADIUS-Client-Shortname and FreeRADIUS-Client-Secret that we need for our clients, they’re all separate queries and with the number of devices we have on our network (2000+), and the large number of logins we have, I’m afraid I would end up DOS’ing the web server the API sits on with said requests.

  The dynamic clients are cached for a period of time.  This is documented.  So the rest API will get hit for *one* packet, and then never again for 5-10 minutes, or whatever you set the timeout as.

  You're free to set the timeout for an hour.  In which case the API will get hit about every 2 seconds on average.

> The other questions I have is: how to configure the rest module.  I’ve seen the demo perl server, found a server fault pages explaining how to get ‘authorize’ to work (http://serverfault.com/questions/597393/configuring-rlm-rest-module-in-freeradius <http://serverfault.com/questions/597393/configuring-rlm-rest-module-in-freeradius>), and read through the comments in the source, and I could make an educated guess on how to configure the dynamic-clients, but without knowing for sure, I’d be grasping at straws trying to get it to work.

  I don't understand what the issue is... there is *nothing* magic about dynamic clients.  Just make sure that you set the right attributes with the right values.  Where those values come from is a separate step.

>  The best that I could come up with was:
> 
> server dynamic_clients {
>    authorize {
>        if ("%{rest: https://url?ipaddress='%{Packet-Src-IP-Address}'}") {
>            update control {
>                &FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
>                &FreeRADIUS-Client-Shortname = "%{rest: https://url?ipaddress='%{Packet-Src-IP-Address}'&return=shortname}"
>                &FreeRADIUS-Client-Secret = "%{rest: https://url?ipaddress='%{Packet-Src-IP-Address}'}&return=secret"

  That should probably work.

  One thing we've done in the 3.1 branch is to add a "map" capability.  The rest module can return a set of values at once, and they can get mapped to a set of RADIUS attributes.  That lowers the number of API calls.

  But for your case, loading a dynamic client every 2 seconds shouldn't be a problem.  If that's a problem, you can set the timeout to 10 hours.  And then use "radmin" to manually delete the client if you need to do that.

  Alan DeKok.

More information about the Freeradius-Users mailing list