Multiple NAS clients within same network

Jonathan Davis jonathan at prioritycolo.com
Tue Oct 4 14:51:07 UTC 2022


do the debug logs confirm your conclusion ?

Jonathan Davis

On 2022-10-04 10:34 a.m., sachin shetty wrote:
> Hello,
>
> I'm using Freeradius for VPN and Wifi clients. Lately, I encountered a
> scenario wrt the NAS client IP address. Before I explain my problem to you,
> I'd like to give you a brief on the configuration. I'm using the
> dynamic_clients section, which verifies the NAS entries against the
> external SQL server. Post which uses rest auth for completion.
>
> We have a scenario where a Wireless access point Wifi and VPN gateway are
> configured at the customer site, and the network has one public IP for both
> NAS clients.
>
> In *the nas* table, I have two entries with the same nas name, i.e.,
> the same client IP address but different secrets. When the Radius packet
> from *NAS client **1* received, it resolves to the right entry in the
> database and happy flow. And when the Radius packet from *NAS client
> 2* received
> it complains secret is invalid as it always picks one entry from the
> database. This is evident from the query pasted below for reference.
>
> I was of the opinion that secret is different, so lookup can be solved. But
> from the *dynamic_clients* documentation, it reads as, "*You can specify
> overlapping networks (127/8 and 127.0/16)*.* In that case, the smallest
> possible network will be used as the "best match" for the client.*" But in
> mycase it is overlapping IPs. I also read that some NAS clients do allow to
> change NAS-IP address, and some don't. At first, I thought relying on the
> NAS-IP address instead of Packet-Src-Ip-Address as Packet-Src-Ip-Address is
> same in radius auth packets from both sources. But apparently, I see the
> NAS IP address remains the same, and some NAS clients don't allow to change
> their NAS IP address.
>
> *Questions are:*
>
>
> *1. Is this the correct configuration (where two NAS clients under same
> roof)? If yes, is it a solved use case? *
>
> *2. Should I use shortname in the query where clause? Will that help?
> This requires configuring shortname at the NAS client? *Or *does this
> mean I can have only one IP per NAS client ? *
>
> *3. Any alternative approach I can look for dynamic_clients query? I do not
> want to skip dynamic_client auth as it efficiently blocks invalid
> clients. **Any
> reason for dynamic clients not looping all the entries matching the same IP
> address to compare secrets? i.e forming uniqueness with IP and secret
> together.*
>
>
>
> This is the current query (default from the package, as I haven't changed
> anything)
>
> if ("%{sql: SELECT nasname FROM nas WHERE nasname =
> '%{Packet-Src-IP-Address}'}") {
>          update control {
>                  #
>                  #  Echo the IP.
>                  &FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
>
>                  #
>                  #  Do multiple SELECT statements to grab
>                  #  the various definitions.
>                  &FreeRADIUS-Client-Shortname = "%{sql: SELECT
> shortname FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
>
>                  &FreeRADIUS-Client-Secret = "%{sql: SELECT secret FROM
> nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
>
>                  &FreeRADIUS-Client-NAS-Type = "%{sql: SELECT type FROM
> nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
>
>                  &FreeRADIUS-Client-Virtual-Server = "%{sql: SELECT
> server FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
>          }
>
> }
>
>
> Thanks,
> Sachin
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list