Gitiles
Code Review Sign In
gerrit.opencord.org / cord-tester / 7f4bf74644dedaaca2fabd655429e78c568bbda3 / . / src / test / setup / radius-config / freeradius / sites-available / dynamic-clients
blob: 8f5edde6484846168ba1eeede2fcffa2595ae9a4 [file] [log] [blame]
Chetan Gaonker7f4bf742016-05-04 15:56:08 -0700[diff] [blame^]1# -*- text -*-
2######################################################################
3#
4# Sample configuration file for dynamically updating the list
5# of RADIUS clients at run time.
6#
7# Everything is keyed off of a client "network". (e.g. 192.0.2/24)
8# This configuration lets the server know that clients within
9# that network are defined dynamically.
10#
11# When the server receives a packet from an unknown IP address
12# within that network, it tries to find a dynamic definition
13# for that client. If the definition is found, the IP address
14# (and other configuration) is added to the server's internal
15# cache of "known clients", with a configurable lifetime.
16#
17# Further packets from that IP address result in the client
18# definition being found in the cache. Once the lifetime is
19# reached, the client definition is deleted, and any new requests
20# from that client are looked up as above.
21#
22# If the dynamic definition is not found, then the request is
23# treated as if it came from an unknown client. i.e. It is
24# silently discarded.
25#
26# As part of protection from Denial of Service (DoS) attacks,
27# the server will add only one new client per second. This CANNOT
28# be changed, and is NOT configurable.
29#
30# $Id: cdfa6175a9617bcd081b0b69f2c9340c3adaa56e $
31#
32######################################################################
33
34#
35# Define a network where clients may be dynamically defined.
36client dynamic {
37 ipaddr = 192.0.2.0
38
39 #
40 # You MUST specify a netmask!
41 # IPv4 /32 or IPv6 /128 are NOT allowed!
42 netmask = 24
43
44 #
45 # Any other configuration normally found in a "client"
46 # entry can be used here.
47
48 #
49 # A shared secret does NOT have to be defined. It can
50 # be left out.
51
52 #
53 # Define the virtual server used to discover dynamic clients.
54 dynamic_clients = dynamic_clients
55
56 #
57 # The directory where client definitions are stored. This
58 # needs to be used ONLY if the client definitions are stored
59 # in flat-text files. Each file in that directory should be
60 # ONE and only one client definition. The name of the file
61 # should be the IP address of the client.
62 #
63 # If you are storing clients in SQL, this entry should not
64 # be used.
65# directory = ${confdir}/dynamic-clients/
66
67 #
68 # Define the lifetime (in seconds) for dynamic clients.
69 # They will be cached for this lifetime, and deleted afterwards.
70 #
71 # If the lifetime is "0", then the dynamic client is never
72 # deleted. The only way to delete the client is to re-start
73 # the server.
74 lifetime = 3600
75}
76
77#
78# This is the virtual server referenced above by "dynamic_clients".
79server dynamic_clients {
80
81 #
82 # The only contents of the virtual server is the "authorize" section.
83 authorize {
84
85 #
86 # Put any modules you want here. SQL, LDAP, "exec",
87 # Perl, etc. The only requirements is that the
88 # attributes MUST go into the control item list.
89 #
90 # The request that is processed through this section
91 # is EMPTY. There are NO attributes. The request is fake,
92 # and is NOT the packet that triggered the lookup of
93 # the dynamic client.
94 #
95 # The ONLY piece of useful information is either
96 #
97 # Packet-Src-IP-Address (IPv4 clients)
98 # Packet-Src-IPv6-Address (IPv6 clients)
99 #
100 # The attributes used to define a dynamic client mirror
101 # the configuration items in the "client" structure.
102 #
103
104 #
105 # Example 1: Hard-code a client IP. This example is
106 # useless, but it documents the attributes
107 # you need.
108 #
109 update control {
110
111 #
112 # Echo the IP address of the client.
113 FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
114
115 # require_message_authenticator
116 FreeRADIUS-Client-Require-MA = no
117
118 # secret
119 FreeRADIUS-Client-Secret = "testing123"
120
121 # shortname
122 FreeRADIUS-Client-Shortname = "%{Packet-Src-IP-Address}"
123
124 # nas_type
125 FreeRADIUS-Client-NAS-Type = "other"
126
127 # virtual_server
128 #
129 # This can ONLY be used if the network client
130 # definition (e.g. "client dynamic" above) has
131 # NO virtual_server defined.
132 #
133 # If the network client definition does have a
134 # virtual_server defined, then that is used,
135 # and there is no need to define this attribute.
136 #
137 FreeRADIUS-Client-Virtual-Server = "something"
138
139 }
140
141 #
142 # Example 2: Read the clients from "clients" files
143 # in a directory.
144 #
145
146 # This requires you to uncomment the
147 # "directory" configuration in the
148 # "client dynamic" configuration above,
149 # and then put one file per IP address in
150 # that directory.
151 #
152 dynamic_clients
153
154 #
155 # Example 3: Look the clients up in SQL.
156 #
157 # This requires the SQL module to be configured, of course.
158 if ("%{sql: SELECT nasname FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}") {
159 update control {
160 #
161 # Echo the IP.
162 FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
163
164 #
165 # Do multiple SELECT statements to grab
166 # the various definitions.
167 FreeRADIUS-Client-Shortname = "%{sql: SELECT shortname FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
168
169 FreeRADIUS-Client-Secret = "%{sql: SELECT secret FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
170
171 FreeRADIUS-Client-NAS-Type = "%{sql: SELECT type FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
172
173 FreeRADIUS-Client-Virtual-Server = "%{sql: SELECT server FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
174 }
175
176 }
177
178 # Do an LDAP lookup in the elements OU, check to see if
179 # the Packet-Src-IP-Address object has a "ou"
180 # attribute, if it does continue. Change "ACME.COM" to
181 # the real OU of your organization.
182 #
183 # Assuming the following schema:
184 #
185 # OU=Elements,OU=Radius,DC=ACME,DC=COM
186 #
187 # Elements will hold a record of every NAS in your
188 # Network. Create Group objects based on the IP
189 # Address of the NAS and set the "Location" or "l"
190 # attribute to the NAS Huntgroup the NAS belongs to
191 # allow them to be centrally managed in LDAP.
192 #
193 # e.g. CN=10.1.2.3,OU=Elements,OU=Radius,DC=ACME,DC=COM
194 #
195 # With a "l" value of "CiscoRTR" for a Cisco Router
196 # that has a NAS-IP-Address or Source-IP-Address of
197 # 10.1.2.3.
198 #
199 # And with a "ou" value of the shared secret password
200 # for the NAS element. ie "password"
201 if ("%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?ou?sub?cn=%{Packet-Src-IP-Address}}") {
202 update control {
203 FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
204
205 # Set the Client-Shortname to be the Location
206 # "l" just like in the Huntgroups, but this
207 # time to the shortname.
208
209 FreeRADIUS-Client-Shortname = "%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?l?sub?cn=%{Packet-Src-IP-Address}}"
210
211 # Lookup and set the Shared Secret based on
212 # the "ou" attribute.
213 FreeRADIUS-Client-Secret = "%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?ou?sub?cn=%{Packet-Src-IP-Address}}"
214 }
215 }
216
217 #
218 # Tell the caller that the client was defined properly.
219 #
220 # If the authorize section does NOT return "ok", then
221 # the new client is ignored.
222 ok
223 }
224}