Multiple NAS clients within same network

sachin shetty sachinshetty.r1 at gmail.com
Tue Oct 4 14:34:47 UTC 2022 

Hello,

I'm using Freeradius for VPN and Wifi clients. Lately, I encountered a
scenario wrt the NAS client IP address. Before I explain my problem to you,
I'd like to give you a brief on the configuration. I'm using the
dynamic_clients section, which verifies the NAS entries against the
external SQL server. Post which uses rest auth for completion.

We have a scenario where a Wireless access point Wifi and VPN gateway are
configured at the customer site, and the network has one public IP for both
NAS clients.

In *the nas* table, I have two entries with the same nas name, i.e.,
the same client IP address but different secrets. When the Radius packet
from *NAS client **1* received, it resolves to the right entry in the
database and happy flow. And when the Radius packet from *NAS client
2* received
it complains secret is invalid as it always picks one entry from the
database. This is evident from the query pasted below for reference.

I was of the opinion that secret is different, so lookup can be solved. But
from the *dynamic_clients* documentation, it reads as, "*You can specify
overlapping networks (127/8 and 127.0/16)*.* In that case, the smallest
possible network will be used as the "best match" for the client.*" But in
mycase it is overlapping IPs. I also read that some NAS clients do allow to
change NAS-IP address, and some don't. At first, I thought relying on the
NAS-IP address instead of Packet-Src-Ip-Address as Packet-Src-Ip-Address is
same in radius auth packets from both sources. But apparently, I see the
NAS IP address remains the same, and some NAS clients don't allow to change
their NAS IP address.

*Questions are:*


*1. Is this the correct configuration (where two NAS clients under same
roof)? If yes, is it a solved use case? *

*2. Should I use shortname in the query where clause? Will that help?
This requires configuring shortname at the NAS client? *Or *does this
mean I can have only one IP per NAS client ? *

*3. Any alternative approach I can look for dynamic_clients query? I do not
want to skip dynamic_client auth as it efficiently blocks invalid
clients. **Any
reason for dynamic clients not looping all the entries matching the same IP
address to compare secrets? i.e forming uniqueness with IP and secret
together.*



This is the current query (default from the package, as I haven't changed
anything)

if ("%{sql: SELECT nasname FROM nas WHERE nasname =
'%{Packet-Src-IP-Address}'}") {
        update control {
                #
                #  Echo the IP.
                &FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"

                #
                #  Do multiple SELECT statements to grab
                #  the various definitions.
                &FreeRADIUS-Client-Shortname = "%{sql: SELECT
shortname FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"

                &FreeRADIUS-Client-Secret = "%{sql: SELECT secret FROM
nas WHERE nasname = '%{Packet-Src-IP-Address}'}"

                &FreeRADIUS-Client-NAS-Type = "%{sql: SELECT type FROM
nas WHERE nasname = '%{Packet-Src-IP-Address}'}"

                &FreeRADIUS-Client-Virtual-Server = "%{sql: SELECT
server FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
        }

}


Thanks,
Sachin

More information about the Freeradius-Users mailing list