Dear Alan see my comments below > st...@comitcon.be wrote: >> I have rebuild freeradius on debian 7.0. I have added rlm_raw and have a >> working dynamic client configuration where I use Called_Station_ID to >> authenticate / validate that a NAS is allowed to use this radius server. > > That's not a recommended configuration.
1. FreeRadius lacks the ability to actually run Nas's behind a link with a dynamic IP. Although not recommended, this software does not support a proper way of dealing with this. > >> I wait for a couple of minutes >> and I executed the following command of client A: >> echo "NAS-IP-Address=10.1.2.236, >> Called-Station-Id=00:40:96:aa:bb:cc,User-Name='testradius',User-Password='test'," >> | radclient -c '1' -n '3' -r '3' -t '3' -x '46.18.36.232:1812' 'auth' >> 'mysecret' >> >> This has a faulty Called-Station-Id in it. I would assume that it would >> not allow me to connect. But this appears to still work. This is indeed a fake. I have added this in mysql in the nas table under the field community (described in ify /yfi setup). The connection actually works. I can (ab)use this field as much as desired > > Of course. RADIUS depends on IP addresses, not on Called-Station-Id. > This is documented in the "dynamic_clients" configuration. Right at > the top of the virtual server. Yes, I have read the documentation (multiple sources, google etc...) I was just wondering what happens when you use the raw module. > >> I am wondering >> - The first time the IP address of client A is added to the list of >> known >> client >> - So the second time , it will check first in the list if the IP is >> known, >> if so it won't go checking using the process defined in dynamic clients? > > That's what the documentation says. Again, yep, read the docs... It is also stated in the yfi docs in the remarks below their dynamic client section. > >> But no matter how long I wait, it appears that the cache if not cleared. >> >> I have added a lifetime of 60 in the dynamic client conf, so I would >> assume that if I wait for a minute, the IP of client A would not be >> known, >> and it would go through checking again. > > That's how it works. > >> Am I wrong in this? If not can I read the cache to find out why it is >> keeping that record? > > You can use "radmin" to query the server about a client. It won't > show you the lifetime of that client. But it will show you if the > client still exists. > Is a client defined by a NAS or a user? Because I need to figure out how or when the dynamic client is remove from the cache? > And as always, run the server in debugging more. READ the output. It > tells you exactly what's going on, and why. > The output shows indeed when it goes through the the dynamic server section and once it is authenticated it only runs through the default (which is understandable) Steve > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
