Dynamic Clients Freeradius
Dynamic Clients, in Freeradius terms, refers to allowing multiple clients, or IPs to connect to a freeradius running service.
By default, obviously, for security reasons, any incoming connection to the freeradius service has to match a predefined client IP or the request is silently dropped or ignored.
This happens, irrespective of who you are! Yes, it is a security measure! The idea behind such an approach is simply to permit you and only your static IP to connect.
However, this isn’t always the case, as if you manage many NAS (network access servers), they might all require the AAA, doing so from different IP addresses.
Since you will know ahead of time what specific IP addresses will be sending the requests, you simply add them all to your clients.conf
file in your freeradius
configuration folder.
Another scenario is when you have no idea what IP address will sending the AAA requests, but at least, you have an idea of the range of IP addresses they might be coming from.
A typical example is when upon ADSL or 4G modem restart, a new IP address is assigned by your ISP.
Enter Dynamic Clients, which offers you the opportunity to rig your freeradius service to listen to connections from a range of IP address, or if you’re crazy enough, allow to respond to every single IP on the internet
Although I won’t recommend you open your freeradius server to every IP address in the world, that might be your use case, if your hotspot reach is global!
Dynamic Clients Freeradius
Freeradius comes with the dynamic_clients
module, which is in the /etc/freeradius/sites-available/
folder
It offers one way of being dynamic with clients allowed to communicate with the system. But, in our case, in my case, I used a different, much more convenient approach.
Lemme show the configuration first, then comment!
The snippet below goes into the /etc/freeradius/clients.conf
file. You know where to put it, just go through the file, and it should be clear where to write something similar.
Something similar because the snippet below, the IP addresses, are for the network provider, Airtel, in Ghana.
client airtel1 { ipaddr = 45.211.0.0 secret = yoursecret netmask = 16 require_message_authenticator = yes } client airtel2 { ipaddr = 45.210.0.0 secret = yoursecret netmask = 16 require_message_authenticator = yes }
See an example of a Clients.conf freeradius file
client airtel1: That’s the name of the client
ipaddr: Yes, the IP address. Since we’ll be specifying a range, we leave the last two zeros.
A bit of story around the IP address. Airtel Ghana has 45.211.0.0/16 and 45.210.0.0/16 as their dedicated IP range they assign to devices that connect to use their network.
I do not know if they have more than the above IP addresses. However, upon many IP addresses assigned to my devices as they connect re-connect, they all seem to fall within the IP range above.
netmask: Yes, netmask. Since I’m no networking guru, you should read on how it works or what network masking is.
require_message_authenticator: Seriously, I have no idea what this setting is or does. Just leave it yes. If your morning reading doze involves getting up to speed with not so great explanations, see the RFC 5080 about the require_message_authenticator
.
Conclusion
So there you go, Dynamic Clients. I do not know how similar the approach above is to the dynamic_clients
modules, but this article covered how to accept connections from different IP addresses from a range.
I hope it helped you get up to speed with Dynamic Clients in freeradius. Will see you in the next one!