-This virtual server is an EXAMPLE, and should not be enabled as-is.
+This virtual server is an example, and should not be enabled as-is.
-To enable dynamic clients in an existing virtual server, copy
-the "dynamic_clients" sub-section of the "udp" listener from
-the below example. Then copy the "new client", "add client",
-and "deny client" sub-sections into the virtual server.
+To enable dynamic clients in an existing virtual server, copy the
+"dynamic_clients" sub-section of the "udp" listener from the below
+example. Then copy the "new client", "add client", and "deny
+client" sub-sections into the virtual server. Set `dynamic_clients
+= yes` in the listener, and then the virtual server will be enabled
+for dynamic clients.
When clients are added to a listener, they exist ONLY for that
listener. Dynamic clients can process packets ONLY through the
define a global client, and point it to a different virtual server,
+
See the "default" virtual server for examples of how to
configure a "listen" section. Only the "dynamic_clients"
changes are documented here.
be rejected.
Even if a packet is from an allowed
-network, it still must be allowed
-by the "new client" subsection.
+network, it still must be
+configured by the "new client"
+subsection.
There is no limit to the number of
networks which can be listed here.
+Networks are put into a patricia
+trie, so lookups are fast and
+efficient.
-When a request is received from an unknown client, it
-is initially passed through this 'new client' section
-to determine whether to add the client or not.
+When a request is received from an unknown client, it is
+initially passed through this 'new client' section to
+determine whether to add the client or not.
+
+This section should define the client fields as attributes,
+and return `ok` to add the client.
-If the client is added, the request is then sent "for real"
-through the normal virtual server sections, as usual.
+If this section returns `fail`, then the client is denied.
Put any modules you want here. SQL, LDAP, "exec",
control list.
The packet received here is a complete, normal,
-RADIUS packet. All attributes are decoded and
-available. However, all attributes that depend on
-the shared secret (e.g. User-Password, etc.) are
-blank.
+packet. All attributes are decoded and available.
+However, all attributes that depend on the shared
+secret (e.g. User-Password, etc.) are blank.
require_message_authenticator
-secret
shortname
nas_type
-virtual_server
-
-This can ONLY be used if the network client
-definition (e.g. "client dynamic" above) has
-NO virtual_server defined.
-
-If the network client definition does have a
-virtual_server defined, then that is used,
-and there is no need to define this attribute.
-
-&control.FreeRADIUS-Client-Virtual-Server = "something"
-
-
-Example 2: Look the clients up in SQL.
-
-This requires the SQL module to be configured, of course.
-
-
-
-Example 3: Look the clients up in LDAP
-
-@todo - use the new 'map' function to map the
- 'nastable' to the attributes
-
-Do an LDAP lookup in the elements OU, check to
-see if the Packet-Src-IP-Address object has an
-"ou" attribute, if it does continue. Change
-"ACME.COM" to the real OU of your organization.
-
-Assuming the following schema:
-
- OU=Elements,OU=Radius,DC=ACME,DC=COM
-Elements will hold a record of every NAS in your
-Network. Create Group objects based on the IP
-Address of the NAS and set the "Location" or "l"
-attribute to the NAS Huntgroup the NAS belongs to
-allow them to be centrally managed in LDAP.
-e.g. CN=10.1.2.3,OU=Elements,OU=Radius,DC=ACME,DC=COM
+This subsection is called when the client was added.
-With a "l" value of "CiscoRTR" for a Cisco Router
-that has a NAS-IP-Address or Source-IP-Address of
-10.1.2.3.
-
-And with a "ou" value of the shared secret password
-for the NAS element, i.e. "password".
-
-
-Set the Client-Shortname to be the Location
-"l" just like in the Huntgroups, but this
-time to the shortname.
-
-
-Lookup and set the Shared Secret based on
-the "ou" attribute.
-
-
-Tell the caller that the client was defined properly.
-
-If the 'new client' section does NOT return "ok", then
-the new client is ignored.
-
-
-
-This subsection is called if the client was added.
+The main purpose of this section is to enable logging when
+a client is added.
If this section is empty, you can just delete it entirely.
This subsection is called if the client was NOT added.
-If this section is empty, you can just delete it entirely.
+The main purpose of this section is to enable logging when
+a client is denied.
+If this section is empty, you can just delete it entirely.
-Reject all packets sent to this dummy virtual server.
-This virtual server is just an example for dynamic
-clients, and should not be used for authentication or
-accounting. Copy the above sections to the real virtual
-server being used instead.
+After client is added, the packet is run through the normal
+processing sections
== Default Configuration
# Sample configuration file for dynamically updating the list
# of RADIUS clients at run time.
# Everything is keyed off a client "network" (for example,
-# 192.168.0.2/24). This configuration lets the server know
-# that clients within that network are defined dynamically.
+# 192.168.0.2/24). This configuration lets the server know that
+# clients within that network are defined dynamically. The
+# network limitation also ensures that the server accepts
+# dynamic client requests from only a limited, "local" network.
# When the server receives a packet from an unknown IP address
# within that network, it tries to find a dynamic definition
# for that client. If the definition is found, the IP address
# cache of "known clients", with a configurable lifetime.
# Further packets from that IP address result in the client
# definition being found in the cache. Once the lifetime is
-# reached, the client definition is deleted, and any new requests
-# from that client are looked up as above.
+# reached, the client definition is deleted, and any new
+# requests from that client are looked up as above.
# If the dynamic definition is not found, then the request is
# treated as if it came from an unknown client, i.e. it is
# silently discarded.
# Once a client is denied, it is added to the negative cache,
# and all packets from that source IP are rejected for 30s.
server dynamic_clients {
+ namespace = radius
listen {
type = Access-Request
transport = udp
cleanup_delay = 5.0
}
udp {
- ipaddr = *
+ ipaddr = 127.0.0.1
port = 2812
dynamic_clients = true
networks {
}
}
new client {
- &control.FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
- &control.FreeRADIUS-Client-Require-MA = no
- &control.FreeRADIUS-Client-Secret = "testing123"
- &control.FreeRADIUS-Client-Shortname = "%{Packet-Src-IP-Address}"
- &control.FreeRADIUS-Client-NAS-Type = "other"
- map sql "SELECT nasname,shortname,secret,type,server FROM nas WHERE nasname = '%{Packet-Src-IP-Address}' LIMIT 1" {
- &control.FreeRADIUS-Client-IP-Address := 'nasname'
- &control.FreeRADIUS-Client-Shortname := 'shortname'
- &control.FreeRADIUS-Client-Secret := 'secret'
- &control.FreeRADIUS-Client-NAS-Type := 'type'
- &control.FreeRADIUS-Client-Virtual-Server := 'server'
- }
- if ("%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?ou?sub?cn=%{Packet-Src-IP-Address}}") {
- &control.FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
- &control.FreeRADIUS-Client-Shortname = "%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?l?sub?cn=%{Packet-Src-IP-Address}}"
- &control.FreeRADIUS-Client-Secret = "%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?ou?sub?cn=%{Packet-Src-IP-Address}}"
+ &control += {
+ &FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
+ &FreeRADIUS-Client-Require-MA = no
+ &FreeRADIUS-Client-Secret = "testing123"
+ &FreeRADIUS-Client-Shortname = "%{Packet-Src-IP-Address}"
+ &FreeRADIUS-Client-NAS-Type = "other"
}
ok
}
ok
}
recv Access-Request {
- reject
+ accept
}
}
```
projects / thirdparty / freeradius-server.git / commitdiff
