Dynamic and static clients + overlapping dynamic client pools

Alan DeKok aland at deployingradius.com
Wed Aug 24 18:48:12 UTC 2022 

On Aug 24, 2022, at 12:39 PM, Fraley, Taylor via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>  1.  When you have a configuration with both static client entries and dynamic client pools, where the static clients are contained in the dynamic pool, will FR prefer the static client entry and secret?

  You can't have multiple definitions for one client.  And I'm not sure what a "dynamic client pool" is.  There's no such thing in the server.

>  2.  Can you have two or more overlapping dynamic client pools with different secrets. Perhaps even multiple pools with the same subnet but different secrets?

  I still don't know what a "dynamic client pool" is.

  Clients are defined by IP (or network/mask).  This is how all clients are defined, no matter if they're static or dynamic.

  Static clients come from clients.conf, or similar definitions.

  Dynamic clients come from sites-available/dynamic_clients.  And those clients can come from files, SQL, LDAP, etc.

> For context, we have a large enterprise that uses a handful of shared secrets based on client type. But these different client types are scattered around the same subnets, so it would be impossible or nearly so to specify dynamic blocks of any reasonable size. Most clients will be preconfigured as static clients however, hence question 1. But we need to account for new clients coming online within allowed subnets, but they could be using one of the handful of secrets. With our current solution, we have a script that monitors for new client requests via log and creating static clients on-demand, but the current solution doesn't require a restart to refresh the clients list, so looking for alternatives as we look to FR as a replacement.

  Just list all clients by IP, and use sites-available/dynamic_clients.  You can add clients dynamically.

  I'm not sure what else you're looking for here.  You haven't explained where subnets and "dynamic client pools" interact with the client definitions.

  Alan DeKok.

More information about the Freeradius-Users mailing list