Multiple NAS clients within same network

sachin shetty sachinshetty.r1 at gmail.com
Tue Oct 4 14:54:59 UTC 2022


Yes, I confirmed this behavior post debug.

On Tue, Oct 4, 2022 at 8:21 PM Jonathan Davis <jonathan at prioritycolo.com>
wrote:

> do the debug logs confirm your conclusion ?
>
> Jonathan Davis
>
> On 2022-10-04 10:34 a.m., sachin shetty wrote:
> > Hello,
> >
> > I'm using Freeradius for VPN and Wifi clients. Lately, I encountered a
> > scenario wrt the NAS client IP address. Before I explain my problem to
> you,
> > I'd like to give you a brief on the configuration. I'm using the
> > dynamic_clients section, which verifies the NAS entries against the
> > external SQL server. Post which uses rest auth for completion.
> >
> > We have a scenario where a Wireless access point Wifi and VPN gateway are
> > configured at the customer site, and the network has one public IP for
> both
> > NAS clients.
> >
> > In *the nas* table, I have two entries with the same nas name, i.e.,
> > the same client IP address but different secrets. When the Radius packet
> > from *NAS client **1* received, it resolves to the right entry in the
> > database and happy flow. And when the Radius packet from *NAS client
> > 2* received
> > it complains secret is invalid as it always picks one entry from the
> > database. This is evident from the query pasted below for reference.
> >
> > I was of the opinion that secret is different, so lookup can be solved.
> But
> > from the *dynamic_clients* documentation, it reads as, "*You can specify
> > overlapping networks (127/8 and 127.0/16)*.* In that case, the smallest
> > possible network will be used as the "best match" for the client.*" But
> in
> > mycase it is overlapping IPs. I also read that some NAS clients do allow
> to
> > change NAS-IP address, and some don't. At first, I thought relying on the
> > NAS-IP address instead of Packet-Src-Ip-Address as Packet-Src-Ip-Address
> is
> > same in radius auth packets from both sources. But apparently, I see the
> > NAS IP address remains the same, and some NAS clients don't allow to
> change
> > their NAS IP address.
> >
> > *Questions are:*
> >
> >
> > *1. Is this the correct configuration (where two NAS clients under same
> > roof)? If yes, is it a solved use case? *
> >
> > *2. Should I use shortname in the query where clause? Will that help?
> > This requires configuring shortname at the NAS client? *Or *does this
> > mean I can have only one IP per NAS client ? *
> >
> > *3. Any alternative approach I can look for dynamic_clients query? I do
> not
> > want to skip dynamic_client auth as it efficiently blocks invalid
> > clients. **Any
> > reason for dynamic clients not looping all the entries matching the same
> IP
> > address to compare secrets? i.e forming uniqueness with IP and secret
> > together.*
> >
> >
> >
> > This is the current query (default from the package, as I haven't changed
> > anything)
> >
> > if ("%{sql: SELECT nasname FROM nas WHERE nasname =
> > '%{Packet-Src-IP-Address}'}") {
> >          update control {
> >                  #
> >                  #  Echo the IP.
> >                  &FreeRADIUS-Client-IP-Address =
> "%{Packet-Src-IP-Address}"
> >
> >                  #
> >                  #  Do multiple SELECT statements to grab
> >                  #  the various definitions.
> >                  &FreeRADIUS-Client-Shortname = "%{sql: SELECT
> > shortname FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
> >
> >                  &FreeRADIUS-Client-Secret = "%{sql: SELECT secret FROM
> > nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
> >
> >                  &FreeRADIUS-Client-NAS-Type = "%{sql: SELECT type FROM
> > nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
> >
> >                  &FreeRADIUS-Client-Virtual-Server = "%{sql: SELECT
> > server FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
> >          }
> >
> > }
> >
> >
> > Thanks,
> > Sachin
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


More information about the Freeradius-Users mailing list