Rev 4 | Blame | Compare with Previous | Last modification | View Log | RSS feed
# -*- text -*-######################################################################## Sample configuration file for dynamically updating the list# of RADIUS clients at run time.## Everything is keyed off of a client "network". (e.g. 192.168/16)# This configuration lets the server know that clients within# that network are defined dynamically.## When the server receives a packet from an unknown IP address# within that network, it tries to find a dynamic definition# for that client. If the definition is found, the IP address# (and other configuration) is added to the server's internal# cache of "known clients", with a configurable lifetime.## Further packets from that IP address result in the client# definition being found in the cache. Once the lifetime is# reached, the client definition is deleted, and any new requests# from that client are looked up as above.## If the dynamic definition is not found, then the request is# treated as if it came from an unknown client. i.e. It is# silently discarded.## As part of protection from Denial of Service (DoS) attacks,# the server will add only one new client per second. This CANNOT# be changed, and is NOT configurable.## $Id: f8c3cc4ddd4a8e6434911fbcc444715f4ac95912 $######################################################################### Define a network where clients may be dynamically defined.client dynamic {ipaddr = 192.168.0.0## You MUST specify a netmask!# IPv4 /32 or IPv6 /128 are NOT allowed!netmask = 16## Any other configuration normally found in a "client"# entry can be used here.## A shared secret does NOT have to be defined. It can# be left out.## Define the virtual server used to discover dynamic clients.dynamic_clients = dynamic_client_server## The directory where client definitions are stored. This# needs to be used ONLY if the client definitions are stored# in flat-text files. Each file in that directory should be# ONE and only one client definition. The name of the file# should be the IP address of the client.## If you are storing clients in SQL, this entry should not# be used.# directory = ${confdir}/dynamic-clients/## Define the lifetime (in seconds) for dynamic clients.# They will be cached for this lifetime, and deleted afterwards.## If the lifetime is "0", then the dynamic client is never# deleted. The only way to delete the client is to re-start# the server.lifetime = 3600}## This is the virtual server referenced above by "dynamic_clients".server dynamic_client_server {## The only contents of the virtual server is the "authorize" section.authorize {## Put any modules you want here. SQL, LDAP, "exec",# Perl, etc. The only requirements is that the# attributes MUST go into the control item list.## The request that is processed through this section# is EMPTY. There are NO attributes. The request is fake,# and is NOT the packet that triggered the lookup of# the dynamic client.## The ONLY piece of useful information is either## Packet-Src-IP-Address (IPv4 clients)# Packet-Src-IPv6-Address (IPv6 clients)## The attributes used to define a dynamic client mirror# the configuration items in the "client" structure.### Example 1: Hard-code a client IP. This example is# useless, but it documents the attributes# you need.#update control {## Echo the IP address of the client.FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"# require_message_authenticatorFreeRADIUS-Client-Require-MA = no# secretFreeRADIUS-Client-Secret = "testing123"# shortnameFreeRADIUS-Client-Shortname = "%{Packet-Src-IP-Address}"# nastypeFreeRADIUS-Client-NAS-Type = "other"# virtual_server## This can ONLY be used if the network client# definition (e.g. "client dynamic" above) has# NO virtual_server defined.## If the network client definition does have a# virtual_server defined, then that is used,# and there is no need to define this attribute.#FreeRADIUS-Client-Virtual-Server = "something"}## Example 2: Read the clients from "clients" files# in a directory.## This requires you to uncomment the# "directory" configuration in the# "client dynamic" configuration above,# and then put one file per IP address in# that directory.#dynamic_clients## Example 3: Look the clients up in SQL.## This requires the SQL module to be configured, of course.if ("%{sql: SELECT nasname FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}") {update control {## Echo the IP.FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"## Do multiple SELECT statements to grab# the various definitions.FreeRADIUS-Client-Shortname = "%{sql: SELECT shortname FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"FreeRADIUS-Client-Secret = "%{sql: SELECT secret FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"FreeRADIUS-Client-NAS-Type = "%{sql: SELECT type FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"FreeRADIUS-Client-Virtual-Server = "%{sql: SELECT server FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"}}# Do an LDAP lookup in the elements OU, check to see if# the Packet-Src-IP-Address object has a "ou"# attribute, if it does continue. Change "ACME.COM" to# the real OU of your organization.## Assuming the following schema:## OU=Elements,OU=Radius,DC=ACME,DC=COM## Elements will hold a record of every NAS in your# Network. Create Group objects based on the IP# Address of the NAS and set the "Location" or "l"# attribute to the NAS Huntgroup the NAS belongs to# allow them to be centrally managed in LDAP.## e.g. CN=10.1.2.3,OU=Elements,OU=Radius,DC=ACME,DC=COM## With a "l" value of "CiscoRTR" for a Cisco Router# that has a NAS-IP-Address or Source-IP-Address of# 10.1.2.3.## And with a "ou" value of the shared secret password# for the NAS element. ie "password"if ("%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?ou?sub?cn=%{Packet-Src-IP-Address}}") {update control {FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"# Set the Client-Shortname to be the Location# "l" just like in the Huntgroups, but this# time to the shortname.FreeRADIUS-Client-Shortname = "%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?l?sub?cn=%{Packet-Src-IP-Address}}"# Lookup and set the Shared Secret based on# the "ou" attribute.FreeRADIUS-Client-Secret = "%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?ou?sub?cn=%{Packet-Src-IP-Address}}"}}## Tell the caller that the client was defined properly.## If the authorize section does NOT return "ok", then# the new client is ignored.ok}}