Chetan Gaonker | 7f4bf74 | 2016-05-04 15:56:08 -0700 | [diff] [blame] | 1 | # -*- text -*- |
| 2 | ###################################################################### |
| 3 | # |
| 4 | # Sample configuration file for dynamically updating the list |
| 5 | # of RADIUS clients at run time. |
| 6 | # |
| 7 | # Everything is keyed off of a client "network". (e.g. 192.0.2/24) |
| 8 | # This configuration lets the server know that clients within |
| 9 | # that network are defined dynamically. |
| 10 | # |
| 11 | # When the server receives a packet from an unknown IP address |
| 12 | # within that network, it tries to find a dynamic definition |
| 13 | # for that client. If the definition is found, the IP address |
| 14 | # (and other configuration) is added to the server's internal |
| 15 | # cache of "known clients", with a configurable lifetime. |
| 16 | # |
| 17 | # Further packets from that IP address result in the client |
| 18 | # definition being found in the cache. Once the lifetime is |
| 19 | # reached, the client definition is deleted, and any new requests |
| 20 | # from that client are looked up as above. |
| 21 | # |
| 22 | # If the dynamic definition is not found, then the request is |
| 23 | # treated as if it came from an unknown client. i.e. It is |
| 24 | # silently discarded. |
| 25 | # |
| 26 | # As part of protection from Denial of Service (DoS) attacks, |
| 27 | # the server will add only one new client per second. This CANNOT |
| 28 | # be changed, and is NOT configurable. |
| 29 | # |
| 30 | # $Id: cdfa6175a9617bcd081b0b69f2c9340c3adaa56e $ |
| 31 | # |
| 32 | ###################################################################### |
| 33 | |
| 34 | # |
| 35 | # Define a network where clients may be dynamically defined. |
| 36 | client dynamic { |
| 37 | ipaddr = 192.0.2.0 |
| 38 | |
| 39 | # |
| 40 | # You MUST specify a netmask! |
| 41 | # IPv4 /32 or IPv6 /128 are NOT allowed! |
| 42 | netmask = 24 |
| 43 | |
| 44 | # |
| 45 | # Any other configuration normally found in a "client" |
| 46 | # entry can be used here. |
| 47 | |
| 48 | # |
| 49 | # A shared secret does NOT have to be defined. It can |
| 50 | # be left out. |
| 51 | |
| 52 | # |
| 53 | # Define the virtual server used to discover dynamic clients. |
| 54 | dynamic_clients = dynamic_clients |
| 55 | |
| 56 | # |
| 57 | # The directory where client definitions are stored. This |
| 58 | # needs to be used ONLY if the client definitions are stored |
| 59 | # in flat-text files. Each file in that directory should be |
| 60 | # ONE and only one client definition. The name of the file |
| 61 | # should be the IP address of the client. |
| 62 | # |
| 63 | # If you are storing clients in SQL, this entry should not |
| 64 | # be used. |
| 65 | # directory = ${confdir}/dynamic-clients/ |
| 66 | |
| 67 | # |
| 68 | # Define the lifetime (in seconds) for dynamic clients. |
| 69 | # They will be cached for this lifetime, and deleted afterwards. |
| 70 | # |
| 71 | # If the lifetime is "0", then the dynamic client is never |
| 72 | # deleted. The only way to delete the client is to re-start |
| 73 | # the server. |
| 74 | lifetime = 3600 |
| 75 | } |
| 76 | |
| 77 | # |
| 78 | # This is the virtual server referenced above by "dynamic_clients". |
| 79 | server dynamic_clients { |
| 80 | |
| 81 | # |
| 82 | # The only contents of the virtual server is the "authorize" section. |
| 83 | authorize { |
| 84 | |
| 85 | # |
| 86 | # Put any modules you want here. SQL, LDAP, "exec", |
| 87 | # Perl, etc. The only requirements is that the |
| 88 | # attributes MUST go into the control item list. |
| 89 | # |
| 90 | # The request that is processed through this section |
| 91 | # is EMPTY. There are NO attributes. The request is fake, |
| 92 | # and is NOT the packet that triggered the lookup of |
| 93 | # the dynamic client. |
| 94 | # |
| 95 | # The ONLY piece of useful information is either |
| 96 | # |
| 97 | # Packet-Src-IP-Address (IPv4 clients) |
| 98 | # Packet-Src-IPv6-Address (IPv6 clients) |
| 99 | # |
| 100 | # The attributes used to define a dynamic client mirror |
| 101 | # the configuration items in the "client" structure. |
| 102 | # |
| 103 | |
| 104 | # |
| 105 | # Example 1: Hard-code a client IP. This example is |
| 106 | # useless, but it documents the attributes |
| 107 | # you need. |
| 108 | # |
| 109 | update control { |
| 110 | |
| 111 | # |
| 112 | # Echo the IP address of the client. |
| 113 | FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}" |
| 114 | |
| 115 | # require_message_authenticator |
| 116 | FreeRADIUS-Client-Require-MA = no |
| 117 | |
| 118 | # secret |
| 119 | FreeRADIUS-Client-Secret = "testing123" |
| 120 | |
| 121 | # shortname |
| 122 | FreeRADIUS-Client-Shortname = "%{Packet-Src-IP-Address}" |
| 123 | |
| 124 | # nas_type |
| 125 | FreeRADIUS-Client-NAS-Type = "other" |
| 126 | |
| 127 | # virtual_server |
| 128 | # |
| 129 | # This can ONLY be used if the network client |
| 130 | # definition (e.g. "client dynamic" above) has |
| 131 | # NO virtual_server defined. |
| 132 | # |
| 133 | # If the network client definition does have a |
| 134 | # virtual_server defined, then that is used, |
| 135 | # and there is no need to define this attribute. |
| 136 | # |
| 137 | FreeRADIUS-Client-Virtual-Server = "something" |
| 138 | |
| 139 | } |
| 140 | |
| 141 | # |
| 142 | # Example 2: Read the clients from "clients" files |
| 143 | # in a directory. |
| 144 | # |
| 145 | |
| 146 | # This requires you to uncomment the |
| 147 | # "directory" configuration in the |
| 148 | # "client dynamic" configuration above, |
| 149 | # and then put one file per IP address in |
| 150 | # that directory. |
| 151 | # |
| 152 | dynamic_clients |
| 153 | |
| 154 | # |
| 155 | # Example 3: Look the clients up in SQL. |
| 156 | # |
| 157 | # This requires the SQL module to be configured, of course. |
| 158 | if ("%{sql: SELECT nasname FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}") { |
| 159 | update control { |
| 160 | # |
| 161 | # Echo the IP. |
| 162 | FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}" |
| 163 | |
| 164 | # |
| 165 | # Do multiple SELECT statements to grab |
| 166 | # the various definitions. |
| 167 | FreeRADIUS-Client-Shortname = "%{sql: SELECT shortname FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}" |
| 168 | |
| 169 | FreeRADIUS-Client-Secret = "%{sql: SELECT secret FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}" |
| 170 | |
| 171 | FreeRADIUS-Client-NAS-Type = "%{sql: SELECT type FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}" |
| 172 | |
| 173 | FreeRADIUS-Client-Virtual-Server = "%{sql: SELECT server FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}" |
| 174 | } |
| 175 | |
| 176 | } |
| 177 | |
| 178 | # Do an LDAP lookup in the elements OU, check to see if |
| 179 | # the Packet-Src-IP-Address object has a "ou" |
| 180 | # attribute, if it does continue. Change "ACME.COM" to |
| 181 | # the real OU of your organization. |
| 182 | # |
| 183 | # Assuming the following schema: |
| 184 | # |
| 185 | # OU=Elements,OU=Radius,DC=ACME,DC=COM |
| 186 | # |
| 187 | # Elements will hold a record of every NAS in your |
| 188 | # Network. Create Group objects based on the IP |
| 189 | # Address of the NAS and set the "Location" or "l" |
| 190 | # attribute to the NAS Huntgroup the NAS belongs to |
| 191 | # allow them to be centrally managed in LDAP. |
| 192 | # |
| 193 | # e.g. CN=10.1.2.3,OU=Elements,OU=Radius,DC=ACME,DC=COM |
| 194 | # |
| 195 | # With a "l" value of "CiscoRTR" for a Cisco Router |
| 196 | # that has a NAS-IP-Address or Source-IP-Address of |
| 197 | # 10.1.2.3. |
| 198 | # |
| 199 | # And with a "ou" value of the shared secret password |
| 200 | # for the NAS element. ie "password" |
| 201 | if ("%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?ou?sub?cn=%{Packet-Src-IP-Address}}") { |
| 202 | update control { |
| 203 | FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}" |
| 204 | |
| 205 | # Set the Client-Shortname to be the Location |
| 206 | # "l" just like in the Huntgroups, but this |
| 207 | # time to the shortname. |
| 208 | |
| 209 | FreeRADIUS-Client-Shortname = "%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?l?sub?cn=%{Packet-Src-IP-Address}}" |
| 210 | |
| 211 | # Lookup and set the Shared Secret based on |
| 212 | # the "ou" attribute. |
| 213 | FreeRADIUS-Client-Secret = "%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?ou?sub?cn=%{Packet-Src-IP-Address}}" |
| 214 | } |
| 215 | } |
| 216 | |
| 217 | # |
| 218 | # Tell the caller that the client was defined properly. |
| 219 | # |
| 220 | # If the authorize section does NOT return "ok", then |
| 221 | # the new client is ignored. |
| 222 | ok |
| 223 | } |
| 224 | } |