From: Alan T. DeKok Date: Fri, 25 Aug 2023 14:50:46 +0000 (-0400) Subject: regenerate from updated source X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f5699f96b2ff0a553ceb218a1e8a4f256c80e656;p=thirdparty%2Ffreeradius-server.git regenerate from updated source --- diff --git a/doc/antora/modules/raddb/pages/sites-available/dynamic-clients.adoc b/doc/antora/modules/raddb/pages/sites-available/dynamic-clients.adoc index 08293a69625..35d78a7fee4 100644 --- a/doc/antora/modules/raddb/pages/sites-available/dynamic-clients.adoc +++ b/doc/antora/modules/raddb/pages/sites-available/dynamic-clients.adoc @@ -8,12 +8,14 @@ -This virtual server is an EXAMPLE, and should not be enabled as-is. +This virtual server is an example, and should not be enabled as-is. -To enable dynamic clients in an existing virtual server, copy -the "dynamic_clients" sub-section of the "udp" listener from -the below example. Then copy the "new client", "add client", -and "deny client" sub-sections into the virtual server. +To enable dynamic clients in an existing virtual server, copy the +"dynamic_clients" sub-section of the "udp" listener from the below +example. Then copy the "new client", "add client", and "deny +client" sub-sections into the virtual server. Set `dynamic_clients += yes` in the listener, and then the virtual server will be enabled +for dynamic clients. When clients are added to a listener, they exist ONLY for that listener. Dynamic clients can process packets ONLY through the @@ -21,6 +23,7 @@ virtual server in which they are defined. Unlike v3, you CANNOT define a global client, and point it to a different virtual server, + See the "default" virtual server for examples of how to configure a "listen" section. Only the "dynamic_clients" changes are documented here. @@ -129,11 +132,15 @@ Packets from all other sources will be rejected. Even if a packet is from an allowed -network, it still must be allowed -by the "new client" subsection. +network, it still must be +configured by the "new client" +subsection. There is no limit to the number of networks which can be listed here. +Networks are put into a patricia +trie, so lookups are fast and +efficient. @@ -153,12 +160,14 @@ a dynamic client. -When a request is received from an unknown client, it -is initially passed through this 'new client' section -to determine whether to add the client or not. +When a request is received from an unknown client, it is +initially passed through this 'new client' section to +determine whether to add the client or not. + +This section should define the client fields as attributes, +and return `ok` to add the client. -If the client is added, the request is then sent "for real" -through the normal virtual server sections, as usual. +If this section returns `fail`, then the client is denied. Put any modules you want here. SQL, LDAP, "exec", @@ -167,10 +176,9 @@ attributes to define a new client MUST go into the control list. The packet received here is a complete, normal, -RADIUS packet. All attributes are decoded and -available. However, all attributes that depend on -the shared secret (e.g. User-Password, etc.) are -blank. +packet. All attributes are decoded and available. +However, all attributes that depend on the shared +secret (e.g. User-Password, etc.) are blank. @@ -183,78 +191,17 @@ the request just received require_message_authenticator -secret shortname nas_type -virtual_server - -This can ONLY be used if the network client -definition (e.g. "client dynamic" above) has -NO virtual_server defined. - -If the network client definition does have a -virtual_server defined, then that is used, -and there is no need to define this attribute. - -&control.FreeRADIUS-Client-Virtual-Server = "something" - - -Example 2: Look the clients up in SQL. - -This requires the SQL module to be configured, of course. - - - -Example 3: Look the clients up in LDAP - -@todo - use the new 'map' function to map the - 'nastable' to the attributes - -Do an LDAP lookup in the elements OU, check to -see if the Packet-Src-IP-Address object has an -"ou" attribute, if it does continue. Change -"ACME.COM" to the real OU of your organization. - -Assuming the following schema: - - OU=Elements,OU=Radius,DC=ACME,DC=COM -Elements will hold a record of every NAS in your -Network. Create Group objects based on the IP -Address of the NAS and set the "Location" or "l" -attribute to the NAS Huntgroup the NAS belongs to -allow them to be centrally managed in LDAP. -e.g. CN=10.1.2.3,OU=Elements,OU=Radius,DC=ACME,DC=COM +This subsection is called when the client was added. -With a "l" value of "CiscoRTR" for a Cisco Router -that has a NAS-IP-Address or Source-IP-Address of -10.1.2.3. - -And with a "ou" value of the shared secret password -for the NAS element, i.e. "password". - - -Set the Client-Shortname to be the Location -"l" just like in the Huntgroups, but this -time to the shortname. - - -Lookup and set the Shared Secret based on -the "ou" attribute. - - -Tell the caller that the client was defined properly. - -If the 'new client' section does NOT return "ok", then -the new client is ignored. - - - -This subsection is called if the client was added. +The main purpose of this section is to enable logging when +a client is added. If this section is empty, you can just delete it entirely. @@ -262,16 +209,15 @@ If this section is empty, you can just delete it entirely. This subsection is called if the client was NOT added. -If this section is empty, you can just delete it entirely. +The main purpose of this section is to enable logging when +a client is denied. +If this section is empty, you can just delete it entirely. -Reject all packets sent to this dummy virtual server. -This virtual server is just an example for dynamic -clients, and should not be used for authentication or -accounting. Copy the above sections to the real virtual -server being used instead. +After client is added, the packet is run through the normal +processing sections == Default Configuration @@ -280,8 +226,10 @@ server being used instead. # Sample configuration file for dynamically updating the list # of RADIUS clients at run time. # Everything is keyed off a client "network" (for example, -# 192.168.0.2/24). This configuration lets the server know -# that clients within that network are defined dynamically. +# 192.168.0.2/24). This configuration lets the server know that +# clients within that network are defined dynamically. The +# network limitation also ensures that the server accepts +# dynamic client requests from only a limited, "local" network. # When the server receives a packet from an unknown IP address # within that network, it tries to find a dynamic definition # for that client. If the definition is found, the IP address @@ -289,8 +237,8 @@ server being used instead. # cache of "known clients", with a configurable lifetime. # Further packets from that IP address result in the client # definition being found in the cache. Once the lifetime is -# reached, the client definition is deleted, and any new requests -# from that client are looked up as above. +# reached, the client definition is deleted, and any new +# requests from that client are looked up as above. # If the dynamic definition is not found, then the request is # treated as if it came from an unknown client, i.e. it is # silently discarded. @@ -298,6 +246,7 @@ server being used instead. # Once a client is denied, it is added to the negative cache, # and all packets from that source IP are rejected for 30s. server dynamic_clients { + namespace = radius listen { type = Access-Request transport = udp @@ -309,7 +258,7 @@ server dynamic_clients { cleanup_delay = 5.0 } udp { - ipaddr = * + ipaddr = 127.0.0.1 port = 2812 dynamic_clients = true networks { @@ -320,22 +269,12 @@ server dynamic_clients { } } new client { - &control.FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}" - &control.FreeRADIUS-Client-Require-MA = no - &control.FreeRADIUS-Client-Secret = "testing123" - &control.FreeRADIUS-Client-Shortname = "%{Packet-Src-IP-Address}" - &control.FreeRADIUS-Client-NAS-Type = "other" - map sql "SELECT nasname,shortname,secret,type,server FROM nas WHERE nasname = '%{Packet-Src-IP-Address}' LIMIT 1" { - &control.FreeRADIUS-Client-IP-Address := 'nasname' - &control.FreeRADIUS-Client-Shortname := 'shortname' - &control.FreeRADIUS-Client-Secret := 'secret' - &control.FreeRADIUS-Client-NAS-Type := 'type' - &control.FreeRADIUS-Client-Virtual-Server := 'server' - } - if ("%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?ou?sub?cn=%{Packet-Src-IP-Address}}") { - &control.FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}" - &control.FreeRADIUS-Client-Shortname = "%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?l?sub?cn=%{Packet-Src-IP-Address}}" - &control.FreeRADIUS-Client-Secret = "%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?ou?sub?cn=%{Packet-Src-IP-Address}}" + &control += { + &FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}" + &FreeRADIUS-Client-Require-MA = no + &FreeRADIUS-Client-Secret = "testing123" + &FreeRADIUS-Client-Shortname = "%{Packet-Src-IP-Address}" + &FreeRADIUS-Client-NAS-Type = "other" } ok } @@ -346,7 +285,7 @@ server dynamic_clients { ok } recv Access-Request { - reject + accept } } ```