> > Johan Meiring wrote: > >> Is there any way to handle clients with dynamic IPs, and use > >> the NAS-Identifier and radius secret to allow/disallow the NAS? > > The current git tree has functionality that should do this. See > git.freeradius.org, and read raddb/sites-available/dynamic-clients. > > The idea is to define the network 0.0.0.0/0 as you do now, and then > dynamically create the "client" definition the first time the server > receives a packet from that client. You can use "unlang" to check the > NAS-Identifier, and then define a shared secret for that NAS. > > There are limitations, of course. See the configuration > file for details.
Hi Alan, I seems exactly what I want, but.... I'm getting there but not quite. Using the sites-available as an example I created the following: A Virtual Server with a authorize section that will create the client. Tested working using static info. ----------------------- server dymamic_nas { authorize { update control { FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}" FreeRADIUS-Client-Require-MA = no FreeRADIUS-Client-Secret = "test-secret" FreeRADIUS-Client-Shortname = "%{Packet-Src-IP-Address}" FreeRADIUS-Client-NAS-Type = "other" FreeRADIUS-Client-Virtual-Server = "hotspot" } ok } } ------------------------ Works perfectly. No I replace the "static info" above with a SQL query, again using the example ------------------------------------------------------------- server dymamic_nas { authorize { if ("%{sql: select NasID from Nas where Identifier='%{NAS-Identifier}'}") { update control { FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}" FreeRADIUS-Client-Require-MA = no FreeRADIUS-Client-Secret = "%{sql: select RadiusSecret from Nas where Identifier='%{NAS-Identifier}'}" FreeRADIUS-Client-Shortname = "%{NAS-Identifier}" FreeRADIUS-Client-NAS-Type = "other" FreeRADIUS-Client-Virtual-Server = "hotspot" } ok } } } ------------------------------------------------------------- The problem is that %{NAS-Identifier} expands to nothing. This seems to be confirmed by the documentation. ------------------------------------------------------------- # The request that is processed through this section # is EMPTY. There are NO attributes. The request is fake, # and is NOT the packet that triggered the lookup of # the dynamic client. # # The ONLY piece of useful information is either # # Packet-Src-IP-Address (IPv4 clients) # Packet-Src-IPv6-Address (IPv6 clients) ------------------------------------------------------------- The documentation however mentions that I can somehow get hold of the NAS-Identifier and use it to set the "shared secret". ------------------------------------------------------------- # You can use any policy here. e.g. Check NAS-Identifier, # and define a shared secret by NAS-Identifier, rather than ------------------------------------------------------------- How do I get hold of the NAS-Identifier in order to find the required secret. Thanks!!! > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html