Dynamic and static clients + overlapping dynamic client pools

Fraley, Taylor taylor.fraley at lumen.com
Wed Aug 24 20:30:17 UTC 2022


To clarify:

I mean, if I have say, have a dynamic client configuration that's something like:

client dynamic {
        Ipaddr = 192.168.1.0
        Netmask = 24
        dynamic_clients = dynamic_client_server
        directory = ${confdir/dynamic-clients/
        lifetime = 3600
}

Is it also possible to have a client configured specifically for 192.168.1.2 (or any other since IP that would be contained by that dynamic client).

-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+taylor.fraley=lumen.com at lists.freeradius.org> On Behalf Of Alan DeKok
Sent: Wednesday, August 24, 2022 12:48 PM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: Dynamic and static clients + overlapping dynamic client pools

CAUTION:  This email originated outside of Lumen Technologies.  Do not click links or open attachments unless you recognize the sender and know the content is safe.
---------------------------------------------------------------------------------------
On Aug 24, 2022, at 12:39 PM, Fraley, Taylor via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>  1.  When you have a configuration with both static client entries and dynamic client pools, where the static clients are contained in the dynamic pool, will FR prefer the static client entry and secret?

  You can't have multiple definitions for one client.  And I'm not sure what a "dynamic client pool" is.  There's no such thing in the server.

>  2.  Can you have two or more overlapping dynamic client pools with different secrets. Perhaps even multiple pools with the same subnet but different secrets?

  I still don't know what a "dynamic client pool" is.

  Clients are defined by IP (or network/mask).  This is how all clients are defined, no matter if they're static or dynamic.

  Static clients come from clients.conf, or similar definitions.

  Dynamic clients come from sites-available/dynamic_clients.  And those clients can come from files, SQL, LDAP, etc.

> For context, we have a large enterprise that uses a handful of shared secrets based on client type. But these different client types are scattered around the same subnets, so it would be impossible or nearly so to specify dynamic blocks of any reasonable size. Most clients will be preconfigured as static clients however, hence question 1. But we need to account for new clients coming online within allowed subnets, but they could be using one of the handful of secrets. With our current solution, we have a script that monitors for new client requests via log and creating static clients on-demand, but the current solution doesn't require a restart to refresh the clients list, so looking for alternatives as we look to FR as a replacement.

  Just list all clients by IP, and use sites-available/dynamic_clients.  You can add clients dynamically.

  I'm not sure what else you're looking for here.  You haven't explained where subnets and "dynamic client pools" interact with the client definitions.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

This communication is the property of Lumen Technologies and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.


More information about the Freeradius-Users mailing list