| 4 |
- |
1 |
# -*- text -*-
|
|
|
2 |
######################################################################
|
|
|
3 |
#
|
|
|
4 |
# Sample configuration file for dynamically updating the list
|
|
|
5 |
# of RADIUS clients at run time.
|
|
|
6 |
#
|
|
|
7 |
# Everything is keyed off of a client "network". (e.g. 192.168/16)
|
|
|
8 |
# This configuration lets the server know that clients within
|
|
|
9 |
# that network are defined dynamically.
|
|
|
10 |
#
|
|
|
11 |
# When the server receives a packet from an unknown IP address
|
|
|
12 |
# within that network, it tries to find a dynamic definition
|
|
|
13 |
# for that client. If the definition is found, the IP address
|
|
|
14 |
# (and other configuration) is added to the server's internal
|
|
|
15 |
# cache of "known clients", with a configurable lifetime.
|
|
|
16 |
#
|
|
|
17 |
# Further packets from that IP address result in the client
|
|
|
18 |
# definition being found in the cache. Once the lifetime is
|
|
|
19 |
# reached, the client definition is deleted, and any new requests
|
|
|
20 |
# from that client are looked up as above.
|
|
|
21 |
#
|
|
|
22 |
# If the dynamic definition is not found, then the request is
|
|
|
23 |
# treated as if it came from an unknown client. i.e. It is
|
|
|
24 |
# silently discarded.
|
|
|
25 |
#
|
|
|
26 |
# As part of protection from Denial of Service (DoS) attacks,
|
|
|
27 |
# the server will add only one new client per second. This CANNOT
|
|
|
28 |
# be changed, and is NOT configurable.
|
|
|
29 |
#
|
| 34 |
- |
30 |
# $Id: f8c3cc4ddd4a8e6434911fbcc444715f4ac95912 $
|
| 4 |
- |
31 |
#
|
|
|
32 |
######################################################################
|
|
|
33 |
|
|
|
34 |
#
|
|
|
35 |
# Define a network where clients may be dynamically defined.
|
|
|
36 |
client dynamic {
|
|
|
37 |
ipaddr = 192.168.0.0
|
|
|
38 |
|
|
|
39 |
#
|
|
|
40 |
# You MUST specify a netmask!
|
|
|
41 |
# IPv4 /32 or IPv6 /128 are NOT allowed!
|
|
|
42 |
netmask = 16
|
|
|
43 |
|
|
|
44 |
#
|
|
|
45 |
# Any other configuration normally found in a "client"
|
|
|
46 |
# entry can be used here.
|
|
|
47 |
|
|
|
48 |
#
|
|
|
49 |
# A shared secret does NOT have to be defined. It can
|
|
|
50 |
# be left out.
|
|
|
51 |
|
|
|
52 |
#
|
|
|
53 |
# Define the virtual server used to discover dynamic clients.
|
|
|
54 |
dynamic_clients = dynamic_client_server
|
|
|
55 |
|
|
|
56 |
#
|
|
|
57 |
# The directory where client definitions are stored. This
|
|
|
58 |
# needs to be used ONLY if the client definitions are stored
|
|
|
59 |
# in flat-text files. Each file in that directory should be
|
|
|
60 |
# ONE and only one client definition. The name of the file
|
|
|
61 |
# should be the IP address of the client.
|
|
|
62 |
#
|
|
|
63 |
# If you are storing clients in SQL, this entry should not
|
|
|
64 |
# be used.
|
|
|
65 |
# directory = ${confdir}/dynamic-clients/
|
|
|
66 |
|
|
|
67 |
#
|
|
|
68 |
# Define the lifetime (in seconds) for dynamic clients.
|
|
|
69 |
# They will be cached for this lifetime, and deleted afterwards.
|
|
|
70 |
#
|
|
|
71 |
# If the lifetime is "0", then the dynamic client is never
|
|
|
72 |
# deleted. The only way to delete the client is to re-start
|
|
|
73 |
# the server.
|
|
|
74 |
lifetime = 3600
|
|
|
75 |
}
|
|
|
76 |
|
|
|
77 |
#
|
|
|
78 |
# This is the virtual server referenced above by "dynamic_clients".
|
|
|
79 |
server dynamic_client_server {
|
|
|
80 |
|
|
|
81 |
#
|
|
|
82 |
# The only contents of the virtual server is the "authorize" section.
|
|
|
83 |
authorize {
|
|
|
84 |
|
|
|
85 |
#
|
|
|
86 |
# Put any modules you want here. SQL, LDAP, "exec",
|
|
|
87 |
# Perl, etc. The only requirements is that the
|
|
|
88 |
# attributes MUST go into the control item list.
|
|
|
89 |
#
|
|
|
90 |
# The request that is processed through this section
|
|
|
91 |
# is EMPTY. There are NO attributes. The request is fake,
|
|
|
92 |
# and is NOT the packet that triggered the lookup of
|
|
|
93 |
# the dynamic client.
|
|
|
94 |
#
|
|
|
95 |
# The ONLY piece of useful information is either
|
|
|
96 |
#
|
|
|
97 |
# Packet-Src-IP-Address (IPv4 clients)
|
|
|
98 |
# Packet-Src-IPv6-Address (IPv6 clients)
|
|
|
99 |
#
|
|
|
100 |
# The attributes used to define a dynamic client mirror
|
|
|
101 |
# the configuration items in the "client" structure.
|
|
|
102 |
#
|
|
|
103 |
|
|
|
104 |
#
|
|
|
105 |
# Example 1: Hard-code a client IP. This example is
|
|
|
106 |
# useless, but it documents the attributes
|
|
|
107 |
# you need.
|
|
|
108 |
#
|
|
|
109 |
update control {
|
|
|
110 |
|
|
|
111 |
#
|
|
|
112 |
# Echo the IP address of the client.
|
|
|
113 |
FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
|
|
|
114 |
|
|
|
115 |
# require_message_authenticator
|
|
|
116 |
FreeRADIUS-Client-Require-MA = no
|
|
|
117 |
|
|
|
118 |
# secret
|
|
|
119 |
FreeRADIUS-Client-Secret = "testing123"
|
|
|
120 |
|
|
|
121 |
# shortname
|
|
|
122 |
FreeRADIUS-Client-Shortname = "%{Packet-Src-IP-Address}"
|
|
|
123 |
|
|
|
124 |
# nastype
|
|
|
125 |
FreeRADIUS-Client-NAS-Type = "other"
|
|
|
126 |
|
|
|
127 |
# virtual_server
|
|
|
128 |
#
|
|
|
129 |
# This can ONLY be used if the network client
|
|
|
130 |
# definition (e.g. "client dynamic" above) has
|
|
|
131 |
# NO virtual_server defined.
|
|
|
132 |
#
|
|
|
133 |
# If the network client definition does have a
|
|
|
134 |
# virtual_server defined, then that is used,
|
|
|
135 |
# and there is no need to define this attribute.
|
|
|
136 |
#
|
|
|
137 |
FreeRADIUS-Client-Virtual-Server = "something"
|
|
|
138 |
|
|
|
139 |
}
|
|
|
140 |
|
|
|
141 |
#
|
|
|
142 |
# Example 2: Read the clients from "clients" files
|
|
|
143 |
# in a directory.
|
|
|
144 |
#
|
|
|
145 |
|
|
|
146 |
# This requires you to uncomment the
|
|
|
147 |
# "directory" configuration in the
|
|
|
148 |
# "client dynamic" configuration above,
|
|
|
149 |
# and then put one file per IP address in
|
|
|
150 |
# that directory.
|
|
|
151 |
#
|
|
|
152 |
dynamic_clients
|
|
|
153 |
|
|
|
154 |
#
|
|
|
155 |
# Example 3: Look the clients up in SQL.
|
|
|
156 |
#
|
|
|
157 |
# This requires the SQL module to be configured, of course.
|
|
|
158 |
if ("%{sql: SELECT nasname FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}") {
|
|
|
159 |
update control {
|
|
|
160 |
#
|
|
|
161 |
# Echo the IP.
|
|
|
162 |
FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
|
|
|
163 |
|
|
|
164 |
#
|
|
|
165 |
# Do multiple SELECT statements to grab
|
|
|
166 |
# the various definitions.
|
|
|
167 |
FreeRADIUS-Client-Shortname = "%{sql: SELECT shortname FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
|
|
|
168 |
|
|
|
169 |
FreeRADIUS-Client-Secret = "%{sql: SELECT secret FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
|
|
|
170 |
|
|
|
171 |
FreeRADIUS-Client-NAS-Type = "%{sql: SELECT type FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
|
|
|
172 |
|
|
|
173 |
FreeRADIUS-Client-Virtual-Server = "%{sql: SELECT server FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
|
|
|
174 |
}
|
|
|
175 |
|
|
|
176 |
}
|
|
|
177 |
|
|
|
178 |
# Do an LDAP lookup in the elements OU, check to see if
|
|
|
179 |
# the Packet-Src-IP-Address object has a "ou"
|
|
|
180 |
# attribute, if it does continue. Change "ACME.COM" to
|
|
|
181 |
# the real OU of your organization.
|
|
|
182 |
#
|
|
|
183 |
# Assuming the following schema:
|
|
|
184 |
#
|
|
|
185 |
# OU=Elements,OU=Radius,DC=ACME,DC=COM
|
|
|
186 |
#
|
|
|
187 |
# Elements will hold a record of every NAS in your
|
|
|
188 |
# Network. Create Group objects based on the IP
|
|
|
189 |
# Address of the NAS and set the "Location" or "l"
|
|
|
190 |
# attribute to the NAS Huntgroup the NAS belongs to
|
|
|
191 |
# allow them to be centrally managed in LDAP.
|
|
|
192 |
#
|
|
|
193 |
# e.g. CN=10.1.2.3,OU=Elements,OU=Radius,DC=ACME,DC=COM
|
|
|
194 |
#
|
|
|
195 |
# With a "l" value of "CiscoRTR" for a Cisco Router
|
|
|
196 |
# that has a NAS-IP-Address or Source-IP-Address of
|
|
|
197 |
# 10.1.2.3.
|
|
|
198 |
#
|
|
|
199 |
# And with a "ou" value of the shared secret password
|
|
|
200 |
# for the NAS element. ie "password"
|
|
|
201 |
if ("%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?ou?sub?cn=%{Packet-Src-IP-Address}}") {
|
|
|
202 |
update control {
|
|
|
203 |
FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
|
|
|
204 |
|
|
|
205 |
# Set the Client-Shortname to be the Location
|
|
|
206 |
# "l" just like in the Huntgroups, but this
|
|
|
207 |
# time to the shortname.
|
|
|
208 |
|
|
|
209 |
FreeRADIUS-Client-Shortname = "%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?l?sub?cn=%{Packet-Src-IP-Address}}"
|
|
|
210 |
|
|
|
211 |
# Lookup and set the Shared Secret based on
|
|
|
212 |
# the "ou" attribute.
|
|
|
213 |
FreeRADIUS-Client-Secret = "%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?ou?sub?cn=%{Packet-Src-IP-Address}}"
|
|
|
214 |
}
|
|
|
215 |
}
|
|
|
216 |
|
|
|
217 |
#
|
|
|
218 |
# Tell the caller that the client was defined properly.
|
|
|
219 |
#
|
|
|
220 |
# If the authorize section does NOT return "ok", then
|
|
|
221 |
# the new client is ignored.
|
|
|
222 |
ok
|
|
|
223 |
}
|
|
|
224 |
}
|