/etc/freeradius/sites-available/dynamic-clients is in freeradius 2.2.8+dfsg-0.1build2.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 | # -*- text -*-
######################################################################
#
# Sample configuration file for dynamically updating the list
# of RADIUS clients at run time.
#
# Everything is keyed off of a client "network". (e.g. 192.168/16)
# This configuration lets the server know that clients within
# that network are defined dynamically.
#
# When the server receives a packet from an unknown IP address
# within that network, it tries to find a dynamic definition
# for that client. If the definition is found, the IP address
# (and other configuration) is added to the server's internal
# cache of "known clients", with a configurable lifetime.
#
# Further packets from that IP address result in the client
# definition being found in the cache. Once the lifetime is
# reached, the client definition is deleted, and any new requests
# from that client are looked up as above.
#
# If the dynamic definition is not found, then the request is
# treated as if it came from an unknown client. i.e. It is
# silently discarded.
#
# As part of protection from Denial of Service (DoS) attacks,
# the server will add only one new client per second. This CANNOT
# be changed, and is NOT configurable.
#
# $Id$
#
######################################################################
#
# Define a network where clients may be dynamically defined.
client dynamic {
ipaddr = 192.168.0.0
#
# You MUST specify a netmask!
# IPv4 /32 or IPv6 /128 are NOT allowed!
netmask = 16
#
# Any other configuration normally found in a "client"
# entry can be used here.
#
# A shared secret does NOT have to be defined. It can
# be left out.
#
# Define the virtual server used to discover dynamic clients.
dynamic_clients = dynamic_client_server
#
# The directory where client definitions are stored. This
# needs to be used ONLY if the client definitions are stored
# in flat-text files. Each file in that directory should be
# ONE and only one client definition. The name of the file
# should be the IP address of the client.
#
# If you are storing clients in SQL, this entry should not
# be used.
# directory = ${confdir}/dynamic-clients/
#
# Define the lifetime (in seconds) for dynamic clients.
# They will be cached for this lifetime, and deleted afterwards.
#
# If the lifetime is "0", then the dynamic client is never
# deleted. The only way to delete the client is to re-start
# the server.
lifetime = 3600
}
#
# This is the virtual server referenced above by "dynamic_clients".
server dynamic_client_server {
#
# The only contents of the virtual server is the "authorize" section.
authorize {
#
# Put any modules you want here. SQL, LDAP, "exec",
# Perl, etc. The only requirements is that the
# attributes MUST go into the control item list.
#
# The request that is processed through this section
# is EMPTY. There are NO attributes. The request is fake,
# and is NOT the packet that triggered the lookup of
# the dynamic client.
#
# The ONLY piece of useful information is either
#
# Packet-Src-IP-Address (IPv4 clients)
# Packet-Src-IPv6-Address (IPv6 clients)
#
# The attributes used to define a dynamic client mirror
# the configuration items in the "client" structure.
#
#
# Example 1: Hard-code a client IP. This example is
# useless, but it documents the attributes
# you need.
#
update control {
#
# Echo the IP address of the client.
FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
# require_message_authenticator
FreeRADIUS-Client-Require-MA = no
# secret
FreeRADIUS-Client-Secret = "testing123"
# shortname
FreeRADIUS-Client-Shortname = "%{Packet-Src-IP-Address}"
# nastype
FreeRADIUS-Client-NAS-Type = "other"
# virtual_server
#
# This can ONLY be used if the network client
# definition (e.g. "client dynamic" above) has
# NO virtual_server defined.
#
# If the network client definition does have a
# virtual_server defined, then that is used,
# and there is no need to define this attribute.
#
FreeRADIUS-Client-Virtual-Server = "something"
}
#
# Example 2: Read the clients from "clients" files
# in a directory.
#
# This requires you to uncomment the
# "directory" configuration in the
# "client dynamic" configuration above,
# and then put one file per IP address in
# that directory.
#
dynamic_clients
#
# Example 3: Look the clients up in SQL.
#
# This requires the SQL module to be configured, of course.
if ("%{sql: SELECT nasname FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}") {
update control {
#
# Echo the IP.
FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
#
# Do multiple SELECT statements to grab
# the various definitions.
FreeRADIUS-Client-Shortname = "%{sql: SELECT shortname FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
FreeRADIUS-Client-Secret = "%{sql: SELECT secret FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
FreeRADIUS-Client-NAS-Type = "%{sql: SELECT type FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
FreeRADIUS-Client-Virtual-Server = "%{sql: SELECT server FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
}
}
# Do an LDAP lookup in the elements OU, check to see if
# the Packet-Src-IP-Address object has a "ou"
# attribute, if it does continue. Change "ACME.COM" to
# the real OU of your organization.
#
# Assuming the following schema:
#
# OU=Elements,OU=Radius,DC=ACME,DC=COM
#
# Elements will hold a record of every NAS in your
# Network. Create Group objects based on the IP
# Address of the NAS and set the "Location" or "l"
# attribute to the NAS Huntgroup the NAS belongs to
# allow them to be centrally managed in LDAP.
#
# e.g. CN=10.1.2.3,OU=Elements,OU=Radius,DC=ACME,DC=COM
#
# With a "l" value of "CiscoRTR" for a Cisco Router
# that has a NAS-IP-Address or Source-IP-Address of
# 10.1.2.3.
#
# And with a "ou" value of the shared secret password
# for the NAS element. ie "password"
if ("%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?ou?sub?cn=%{Packet-Src-IP-Address}}") {
update control {
FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
# Set the Client-Shortname to be the Location
# "l" just like in the Huntgroups, but this
# time to the shortname.
FreeRADIUS-Client-Shortname = "%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?l?sub?cn=%{Packet-Src-IP-Address}}"
# Lookup and set the Shared Secret based on
# the "ou" attribute.
FreeRADIUS-Client-Secret = "%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?ou?sub?cn=%{Packet-Src-IP-Address}}"
}
}
#
# Tell the caller that the client was defined properly.
#
# If the authorize section does NOT return "ok", then
# the new client is ignored.
ok
}
}
|