2
######################################################################
4
# Sample configuration file for dynamically updating the list
5
# of RADIUS clients at run time.
7
# Everything is keyed off of a client "network". (e.g. 192.168/16)
8
# This configuration lets the server know that clients within
9
# that network are defined dynamically.
11
# When the server receives a packet from an unknown IP address
12
# within that network, it tries to find a dynamic definition
13
# for that client. If the definition is found, the IP address
14
# (and other configuration) is added to the server's internal
15
# cache of "known clients", with a configurable lifetime.
17
# Further packets from that IP address result in the client
18
# definition being found in the cache. Once the lifetime is
19
# reached, the client definition is deleted, and any new requests
20
# from that client are looked up as above.
22
# If the dynamic definition is not found, then the request is
23
# treated as if it came from an unknown client. i.e. It is
26
# As part of protection from Denial of Service (DoS) attacks,
27
# the server will add only one new client per second. This CANNOT
28
# be changed, and is NOT configurable.
32
######################################################################
35
# Define a network where clients may be dynamically defined.
40
# You MUST specify a netmask!
41
# IPv4 /32 or IPv6 /128 are NOT allowed!
45
# Any other configuration normally found in a "client"
46
# entry can be used here.
49
# A shared secret does NOT have to be defined. It can
53
# Define the virtual server used to discover dynamic clients.
54
dynamic_clients = dynamic_client_server
57
# Define the lifetime (in seconds) for dynamic clients.
58
# They will be cached for this lifetime, and deleted afterwards.
60
# If the lifetime is "0", then the dynamic client is never
61
# deleted. The only way to delete the client is to re-start
67
# This is the virtual server referenced above by "dynamic_clients".
68
server dynamic_client_server {
71
# The only contents of the virtual server is the "authorize" section.
75
# Put any modules you want here. SQL, LDAP, "exec",
76
# Perl, etc. The only requirements is that the
77
# attributes MUST go into the control item list.
79
# The request that is processed through this section
80
# is EMPTY. There are NO attributes. The request is fake,
81
# and is NOT the packet that triggered the lookup of
84
# The ONLY piece of useful information is either
86
# Packet-Src-IP-Address (IPv4 clients)
87
# Packet-Src-IPv6-Address (IPv6 clients)
89
# The attributes used to define a dynamic client mirror
90
# the configuration items in the "client" structure.
95
# Echo the IP address of the client.
96
FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
98
# require_message_authenticator
99
FreeRADIUS-Client-Require-MA = no
102
FreeRADIUS-Client-Secret = "testing123"
105
FreeRADIUS-Client-Shortname = "%{Packet-Src-IP-Address}"
108
FreeRADIUS-Client-NAS-Type = "other"
112
# This can ONLY be used if the network client
113
# definition (e.g. "client dynamic" above) has
114
# NO virtual_server defined.
116
# If the network client definition does have a
117
# virtual_server defined, then that is used,
118
# and there is no need to define this attribute.
120
FreeRADIUS-Client-Virtual-Server = "something"
125
# Or, look the client up in SQL.
127
# This requires the SQL module to be configured, of course.
128
if ("%{sql: SELECT nasname FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}") {
132
FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
135
# Do multiple SELECT statements to grab
136
# the various definitions.
137
FreeRADIUS-Client-Shortname = "%{sql: SELECT shortname FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
139
FreeRADIUS-Client-Secret = "%{sql: SELECT secret FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
141
FreeRADIUS-Client-NAS-Type = "%{sql: SELECT type FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
147
# Tell the caller that the client was defined properly.
149
# If the authorize section does NOT return "ok", then
150
# the new client is ignored.