Hello Bjørn, On 02/11/2013 10:27 AM, Bjørn Mork wrote: > Ondrej Famera <[email protected]> writes: > >> freeRADIUS server: >> radius.example.com >> - IPv4: 10.0.0.1 >> - IPv6: 2001:a:b:c::1 >> >> NAS device: >> dev1.example.com >> - IPv4: 10.0.0.2 >> - IPv6: 2001:a:b:c::2 >> >> RADIUS nas table: >> id | nasname | shortname | type | ports | secret | >> community | description | server >> ----+-------------------+-----------+-------+--------+---------------+-----------+-------------+-------------- >> 1 | dev1.example.com | dev1 | other | <NULL> | shared_secret | >> <NULL> | <NULL> | inner-tunnel > > Never use DNS to identify a client. A client is uniqueliy identified by > its IP address. Hiding this behind DNS is just confusing. For example: > * You thought a single client with multiple IPs would work - It won't > * You might think that you can change the DNS entry without restarting > FreeRADIUS - you cannot > * You might think that you can configure a client without knowing its > address first - you cannot. * I hoped that if i got reliable DNS with correct records then RADIUS would resolve them the right way (either all of them or none) - but it resolves only one of them
> >> By adding folloving to nas table it works: >> id | nasname | shortname | type | ports | secret | >> community | description | server >> ----+-------------------+-----------+-------+--------+---------------+-----------+-------------+-------------- >> 2 | 10.0.0.2 | dev1 | other | <NULL> | shared_secret | >> <NULL> | <NULL> | inner-tunnel >> >> ( it works as workaround but i think that it should work as well with >> hostname only ) > > That is not a "workaround". It is the correct way to configure a > client. If you want to allow a client to use multiple addresses, > then you need to add an entry for each address. > > But you should really not do that. Choose a single source address for > each client. This implies that you must choose a single address family. > There is no such thing as a "dual stack RADIUS client". Either you use > IPv4 or you use IPv6. - In my case the hard work is done by script which knows which devices should be put into client table and puts them there based on their hostnames, - so as more correct approach i see that script would also do resolving hostnames to addresses before putting them in clients table. ( i got list of hostnames, so the lazy approach is to use them if it's possible ) > This goes for *any* managment protocol. It's not some service you are > providing to any random Internet client. You explicitly configure each > end and you want to do that as precisely as possible. Try configuring > your BGP peers using DNS ans see how well that works... > > > Bjørn > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > Thanks for quick response and clarification, the address-based approach now looks much better than before :) -- Ondrej Famera unix@fi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
