2 ######################################################################
4 # Sample configuration file for dynamically updating the list
5 # of RADIUS clients at run time.
7 # Everything is keyed off of a client "network". (e.g. 192.168/16)
8 # This configuration lets the server know that clients within
9 # that network are defined dynamically.
11 # When the server receives a packet from an unknown IP address
12 # within that network, it tries to find a dynamic definition
13 # for that client. If the definition is found, the IP address
14 # (and other configuration) is added to the server's internal
15 # cache of "known clients", with a configurable lifetime.
17 # Further packets from that IP address result in the client
18 # definition being found in the cache. Once the lifetime is
19 # reached, the client definition is deleted, and any new requests
20 # from that client are looked up as above.
22 # If the dynamic definition is not found, then the request is
23 # treated as if it came from an unknown client. i.e. It is
26 # As part of protection from Denial of Service (DoS) attacks,
27 # the server will add only one new client per second. This CANNOT
28 # be changed, and is NOT configurable.
32 ######################################################################
35 # Define a network where clients may be dynamically defined.
40 # You MUST specify a netmask!
41 # IPv4 /32 or IPv6 /128 are NOT allowed!
45 # Any other configuration normally found in a "client"
46 # entry can be used here.
49 # A shared secret does NOT have to be defined. It can
53 # Define the virtual server used to discover dynamic clients.
54 dynamic_clients = dynamic_client_server
57 # Define the lifetime (in seconds) for dynamic clients.
58 # They will be cached for this lifetime, and deleted afterwards.
60 # If the lifetime is "0", then the dynamic client is never
61 # deleted. The only way to delete the client is to re-start
67 # This is the virtual server referenced above by "dynamic_clients".
68 server dynamic_client_server {
71 # The only contents of the virtual server is the "authorize" section.
75 # Put any modules you want here. SQL, LDAP, "exec",
76 # Perl, etc. The only requirements is that the
77 # attributes MUST go into the control item list.
79 # The request that is processed through this section
80 # is EMPTY. There are NO attributes. The request is fake,
81 # and is NOT the packet that triggered the lookup of
84 # The ONLY piece of useful information is either
86 # Packet-Src-IP-Address (IPv4 clients)
87 # Packet-Src-IPv6-Address (IPv6 clients)
89 # The attributes used to define a dynamic client mirror
90 # the configuration items in the "client" structure.
95 # Echo the IP address of the client.
96 FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
98 # require_message_authenticator
99 FreeRADIUS-Client-Require-MA = no
102 FreeRADIUS-Client-Secret = "testing123"
105 FreeRADIUS-Client-Shortname = "%{Packet-Src-IP-Address}"
108 FreeRADIUS-Client-NAS-Type = "other"
112 # This can ONLY be used if the network client
113 # definition (e.g. "client dynamic" above) has
114 # NO virtual_server defined.
116 # If the network client definition does have a
117 # virtual_server defined, then that is used,
118 # and there is no need to define this attribute.
120 FreeRADIUS-Client-Virtual-Server = "something"
125 # Or, look the client up in SQL.
127 # This requires the SQL module to be configured, of course.
128 if ("%{sql: SELECT nasname FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}") {
132 FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
135 # Do multiple SELECT statements to grab
136 # the various definitions.
137 FreeRADIUS-Client-Shortname = "%{sql: SELECT shortname FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
139 FreeRADIUS-Client-Secret = "%{sql: SELECT secret FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
141 FreeRADIUS-Client-NAS-Type = "%{sql: SELECT type FROM nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
147 # Tell the caller that the client was defined properly.
149 # If the authorize section does NOT return "ok", then
150 # the new client is ignored.