# -*- text -*-
######################################################################
#
#	Sample configuration file for dynamically updating the list
#	of RADIUS clients at run time.
#
#	Everything is keyed off of a client "network".  (e.g. 192.168/16)
#	This configuration lets the server know that clients within
#	that network are defined dynamically.
#
#	When the server receives a packet from an unknown IP address
#	within that network, it tries to find a dynamic definition
#	for that client.  If the definition is found, the IP address
#	(and other configuration) is added to the server's internal
#	cache of "known clients", with a configurable lifetime.
#
#	Further packets from that IP address result in the client
#	definition being found in the cache.  Once the lifetime is
#	reached, the client definition is deleted, and any new requests
#	from that client are looked up as above.
#
#	If the dynamic definition is not found, then the request is
#	treated as if it came from an unknown client.  i.e. It is
#	silently discarded.
#
#	As part of protection from Denial of Service (DoS) attacks,
#	the server will add only one new client per second.  This CANNOT
#	be changed, and is NOT configurable.
#
#	$Id$
#
######################################################################

#
#  Define a network where clients may be dynamically defined.
client 0.0.0.0/0 {

	#
	#  Any other configuration normally found in a "client"
	#  entry can be used here.

	#
	#  A shared secret does NOT have to be defined.  It can
	#  be left out.

	#
	#  Define the virtual server used to discover dynamic clients.
	dynamic_clients = dynamic_client_server

	#
	#  The directory where client definitions are stored.  This
	#  needs to be used ONLY if the client definitions are stored
	#  in flat-text files.  Each file in that directory should be
	#  ONE and only one client definition.  The name of the file
	#  should be the IP address of the client.
	#
	#  If you are storing clients in SQL, this entry should not
	#  be used.
#	directory = ${confdir}/dynamic-clients/

	#
	#  Define the lifetime (in seconds) for dynamic clients.
	#  They will be cached for this lifetime, and deleted afterwards.
	#
	#  If the lifetime is "0", then the dynamic client is never
	#  deleted.  The only way to delete the client is to re-start
	#  the server.
	lifetime = ${policy.dynamic_controller_ttl}
}

#
#  This is the virtual server referenced above by "dynamic_clients".
server dynamic_client_server {

	#
	#  The only contents of the virtual server is the "authorize" section.
	#  
	authorize {

		#
		#  Put any modules you want here.  SQL, LDAP, "exec",
		#  Perl, etc.  The only requirements is that the
		#  attributes MUST go into the control item list.
		#
		#  The request that is processed through this section
		#  is EMPTY.  There are NO attributes.  The request is fake,
		#  and is NOT the packet that triggered the lookup of
		#  the dynamic client.
		#
		#  The ONLY piece of useful information is either
		#
		#	Packet-Src-IP-Address (IPv4 clients)
		#	Packet-Src-IPv6-Address (IPv6 clients)
		#
		#  The attributes used to define a dynamic client mirror
		#  the configuration items in the "client" structure.
		#

		#
		#  Example 1: Hard-code a client IP.  This example is
		#             useless, but it documents the attributes
		#             you need.
		#
		#
		#  Example 2: Read the clients from "clients" files
		#             in a directory.
		#

		#             This requires you to uncomment the
		#             "directory" configuration in the
		#             "client dynamic" configuration above,
		#	      and then put one file per IP address in
		#             that directory.
		#
		dynamic_clients

		#
		#  Example 3: Look the clients up in SQL.
		#
		#  This requires the SQL module to be configured, of course.
        #
        #  The order of matching 
        #  * The mac set in the Called-Station-Id
        #  * The ip address of the client
        #  * The ip range of the client
        #
                if("%{raw:Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) {
                    update control {
                        Tmp-String-8 := "%{sql: SELECT nasname FROM radius_nas WHERE nasname = '%{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}'}"
                    }
                }

                if (!"%{control:Tmp-String-8}") {
                    update control {
                        Tmp-String-8 := "%{sql: SELECT nasname FROM radius_nas WHERE nasname = '%{Packet-Src-IP-Address}'}"
                    }

                }
                if (!"%{control:Tmp-String-8}") {
                    update control {
                        Tmp-String-8 := "%{sql: SELECT nasname from radius_nas WHERE start_ip <= INET_ATON('%{Packet-Src-IP-Address}') and INET_ATON('%{Packet-Src-IP-Address}') <= end_ip order by range_length limit 1}"
                    }
                        #
                }
                if ("%{control:Tmp-String-8}") {
                    update control {
                        #
                        # Echo the IP.
                        FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"

                        #
                        # Do multiple SELECT statements to grab
                        # the various definitions.
                        FreeRADIUS-Client-Shortname = "%{sql: SELECT shortname FROM radius_nas WHERE nasname = '%{control:Tmp-String-8}'}"

                        FreeRADIUS-Client-Secret = "%{sql: SELECT secret FROM radius_nas WHERE nasname = '%{control:Tmp-String-8}'}"

                        FreeRADIUS-Client-NAS-Type = "%{sql: SELECT type FROM radius_nas WHERE nasname = '%{control:Tmp-String-8}'}"

                    }
                    ok
                }
		# Do an LDAP lookup in the elements OU, check to see if
		# the Packet-Src-IP-Address object has a "ou"
		# attribute, if it does continue.  Change "ACME.COM" to
		# the real OU of your organization.
		#
		# Assuming the following schema:
		#
		# OU=Elements,OU=Radius,DC=ACME,DC=COM
		#
		# Elements will hold a record of every NAS in your
		# Network.  Create Group objects based on the IP
		# Address of the NAS and set the "Location" or "l"
		# attribute to the NAS Huntgroup the NAS belongs to
		# allow them to be centrally managed in LDAP.
		#
		# e.g.  CN=10.1.2.3,OU=Elements,OU=Radius,DC=ACME,DC=COM
		#
		# With a "l" value of "CiscoRTR" for a Cisco Router
		# that has a NAS-IP-Address or Source-IP-Address of
		# 10.1.2.3.
		#
		# And with a "ou" value of the shared secret password
		# for the NAS element. ie "password"
#		if ("%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?ou?sub?cn=%{Packet-Src-IP-Address}}") {
#			update control {
#			       FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"

				# Set the Client-Shortname to be the Location
				# "l" just like in the Huntgroups, but this
				# time to the shortname.

#				FreeRADIUS-Client-Shortname = "%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?l?sub?cn=%{Packet-Src-IP-Address}}"

				# Lookup and set the Shared Secret based on
				# the "ou" attribute.
#				FreeRADIUS-Client-Secret = "%{ldap:ldap:///OU=Elements,OU=Radius,DC=ACME,DC=COM?ou?sub?cn=%{Packet-Src-IP-Address}}"
#			}
#            ok
#		}

		#
		#  Tell the caller that the client was defined properly.
		#
		#  If the authorize section does NOT return "ok", then
		#  the new client is ignored.
	}
}
