94 lines
3.1 KiB
Plaintext
94 lines
3.1 KiB
Plaintext
# -*- text -*-
|
|
######################################################################
|
|
#
|
|
# Sample configuration file for dynamically updating the list
|
|
# of RADIUS clients at run time.
|
|
#
|
|
# Everything is keyed off of a client "network". (e.g. 192.0.2/24)
|
|
# This configuration lets the server know that clients within
|
|
# that network are defined dynamically.
|
|
#
|
|
# When the server receives a packet from an unknown IP address
|
|
# within that network, it tries to find a dynamic definition
|
|
# for that client. If the definition is found, the IP address
|
|
# (and other configuration) is added to the server's internal
|
|
# cache of "known clients", with a configurable lifetime.
|
|
#
|
|
# Further packets from that IP address result in the client
|
|
# definition being found in the cache. Once the lifetime is
|
|
# reached, the client definition is deleted, and any new requests
|
|
# from that client are looked up as above.
|
|
#
|
|
# If the dynamic definition is not found, then the request is
|
|
# treated as if it came from an unknown client. i.e. It is
|
|
# silently discarded.
|
|
#
|
|
# As part of protection from Denial of Service (DoS) attacks,
|
|
# the server will add only one new client per second. This CANNOT
|
|
# be changed, and is NOT configurable.
|
|
#
|
|
# $Id: 0459a7f4b1dc824b1684e9d220a0410c69b3248a $
|
|
#
|
|
######################################################################
|
|
|
|
|
|
|
|
#
|
|
# This is the virtual server referenced above by "dynamic_clients".
|
|
server dynamic_clients {
|
|
|
|
#
|
|
# The only contents of the virtual server is the "authorize" section.
|
|
authorize {
|
|
|
|
#
|
|
# Put any modules you want here. SQL, LDAP, "exec",
|
|
# Perl, etc. The only requirements is that the
|
|
# attributes MUST go into the control item list.
|
|
#
|
|
# The request that is processed through this section
|
|
# is EMPTY. There are NO attributes. The request is fake,
|
|
# and is NOT the packet that triggered the lookup of
|
|
# the dynamic client.
|
|
#
|
|
# The ONLY piece of useful information is either
|
|
#
|
|
# Packet-Src-IP-Address (IPv4 clients)
|
|
# Packet-Src-IPv6-Address (IPv6 clients)
|
|
#
|
|
# The attributes used to define a dynamic client mirror
|
|
# the configuration items in the "client" structure.
|
|
#
|
|
|
|
#
|
|
# Example 1: Hard-code a client IP. This example is
|
|
# useless, but it documents the attributes
|
|
# you need.
|
|
#
|
|
if ("%{raw:NAS-Identifier}") {
|
|
if ("%{sql: select count(*) from nas where shortname='%{raw:NAS-Identifier}'}" == 1) {
|
|
update control {
|
|
&FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
|
|
&FreeRADIUS-Client-Require-MA = no
|
|
&FreeRADIUS-Client-Secret = "%{sql: select nas.secret from nas where shortname='%{raw:NAS-Identifier}'}"
|
|
&FreeRADIUS-Client-Shortname = "%{sql: select shortname from nas where shortname='%{raw:NAS-Identifier}'}"
|
|
&FreeRADIUS-Client-NAS-Type = "other"
|
|
}
|
|
ok
|
|
}
|
|
else {
|
|
rest
|
|
}
|
|
} else {
|
|
reject
|
|
}
|
|
|
|
#
|
|
# Tell the caller that the client was defined properly.
|
|
#
|
|
# If the authorize section does NOT return "ok", then
|
|
# the new client is ignored.
|
|
ok
|
|
}
|
|
}
|