1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
|
# -*- text -*-
######################################################################
#
# Sample configuration file for dynamically updating the list
# of RADIUS clients at run time.
#
# Everything is keyed off of a client "network". (e.g. 192.0.2/24)
# This configuration lets the server know that clients within
# that network are defined dynamically.
#
# When the server receives a packet from an unknown IP address
# within that network, it tries to find a dynamic definition
# for that client. If the definition is found, the IP address
# (and other configuration) is added to the server's internal
# cache of "known clients", with a configurable lifetime.
#
# Further packets from that IP address result in the client
# definition being found in the cache. Once the lifetime is
# reached, the client definition is deleted, and any new requests
# from that client are looked up as above.
#
# If the dynamic definition is not found, then the request is
# treated as if it came from an unknown client. i.e. It is
# silently discarded.
#
# As part of protection from Denial of Service (DoS) attacks,
# the server will add only one new client per second. This CANNOT
# be changed, and is NOT configurable.
#
# $Id$
#
######################################################################
#
# Define a network where clients may be dynamically defined.
client dynamic {
#
# You MUST specify a netmask!
# IPv4 /32 or IPv6 /128 are NOT allowed!
ipaddr = 192.0.2.0/24
#
# Any other configuration normally found in a "client"
# entry can be used here.
#
# A shared secret does NOT have to be defined. It can
# be left out.
#
# Define the virtual server used to discover dynamic clients.
dynamic_clients = dynamic_clients
#
# The directory where client definitions are stored. This
# needs to be used ONLY if the client definitions are stored
# in flat-text files. Each file in that directory should be
# ONE and only one client definition. The name of the file
# should be the IP address of the client.
#
# If you are storing clients in SQL, this entry should not
# be used.
# directory = ${confdir}/dynamic-clients/
#
# Define the lifetime (in seconds) for dynamic clients.
# They will be cached for this lifetime, and deleted afterwards.
#
# If the lifetime is "0", then the dynamic client is never
# deleted. The only way to delete the client is to re-start
# the server.
lifetime = 3600
}
#
# This is the virtual server referenced above by "dynamic_clients".
server dynamic_clients {
#
# The only contents of the virtual server is the "authorize" section.
authorize {
#
# Put any modules you want here. SQL, LDAP, "exec",
# Perl, etc. The only requirements is that the
# attributes MUST go into the control item list.
#
# The request that is processed through this section
# is EMPTY. There are NO attributes. The request is fake,
# and is NOT the packet that triggered the lookup of
# the dynamic client.
#
# The ONLY piece of useful information is either
#
# Packet-Src-IP-Address (IPv4 clients)
# Packet-Src-IPv6-Address (IPv6 clients)
#
# The attributes used to define a dynamic client mirror
# the configuration items in the "client" structure.
#
#
# Example 1: Hard-code a client IP. This example is
# useless, but it documents the attributes
# you need.
#
update control {
#
# Echo the IP address of the client.
&FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
# require_message_authenticator
&FreeRADIUS-Client-Require-MA = no
# secret
&FreeRADIUS-Client-Secret = "testing123"
# shortname
&FreeRADIUS-Client-Shortname = "%{Packet-Src-IP-Address}"
# nas_type
&FreeRADIUS-Client-NAS-Type = "other"
# virtual_server
#
# This can ONLY be used if the network client
# definition (e.g. "client dynamic" above) has
# NO virtual_server defined.
#
# If the network client definition does have a
# virtual_server defined, then that is used,
# and there is no need to define this attribute.
#
&FreeRADIUS-Client-Virtual-Server = "something"
}
#
# Example 2: Read the clients from "clients" files
# in a directory.
#
# This requires you to uncomment the
# "directory" configuration in the
# "client dynamic" configuration above,
# and then put one file per IP address in
# that directory.
#
dynamic_clients
#
# Example 3: Look the clients up in SQL.
#
# This requires the SQL module to be configured, of course.
if ("%{sql: SELECT nasname FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}") {
update control {
#
# Echo the IP.
&FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
#
# Do multiple SELECT statements to grab
# the various definitions.
&FreeRADIUS-Client-Shortname = "%{sql: SELECT shortname FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
&FreeRADIUS-Client-Secret = "%{sql: SELECT secret FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
&FreeRADIUS-Client-NAS-Type = "%{sql: SELECT type FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
&FreeRADIUS-Client-Virtual-Server = "%{sql: SELECT server FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
}
}
# Do an LDAP lookup in the elements OU, check to see if
# the Packet-Src-IP-Address object has a "ou"
# attribute, if it does continue. Change "ACME.COM" to
# the real OU of your organization.
#
# Assuming the following schema:
#
# OU=Elements,OU=Radius,DC=ACME,DC=COM
#
# Elements will hold a record of every NAS in your
# Network. Create Group objects based on the IP
# Address of the NAS and set the "Location" or "l"
# attribute to the NAS Huntgroup the NAS belongs to
# allow them to be centrally managed in LDAP.
#
# e.g. CN=10.1.2.3,OU=Elements,OU=Radius,DC=ACME,DC=COM
#
# With a "l" value of "CiscoRTR" for a Cisco Router
# that has a NAS-IP-Address or Source-IP-Address of
# 10.1.2.3.
#
# And with a "ou" value of the shared secret password
# for the NAS element. ie "password"
if ("%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?ou?sub?cn=%{Packet-Src-IP-Address}}") {
update control {
&FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
# Set the Client-Shortname to be the Location
# "l" just like in the Huntgroups, but this
# time to the shortname.
&FreeRADIUS-Client-Shortname = "%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?l?sub?cn=%{Packet-Src-IP-Address}}"
# Lookup and set the Shared Secret based on
# the "ou" attribute.
&FreeRADIUS-Client-Secret = "%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?ou?sub?cn=%{Packet-Src-IP-Address}}"
}
}
#
# Tell the caller that the client was defined properly.
#
# If the authorize section does NOT return "ok", then
# the new client is ignored.
ok
}
}
|