Accounting - FramedIPAddress - DHCP/IPPOOL

Wed May 10 16:51:34 CEST 2006

mad wrote:
> Hello,
> I have a freeradius server, I use an eap/ttls authentication with 802.1x 
> and ldap.
> I want to save the username, the ip adress, the MAC address, the start 
> time and the stop time of the connection with the accounting function 
> (with mysql).
> I have a problem with the ip address ... because it's dhcpd who give an 
> ip address at the client, so freeradius can't have this information.

Correct

> 
> I have try ippool in freeradius (freeradius want to give an ip address 
> but the client don't receive). Also I have read that it's impossible to 
> use ippool with eap and when there are access point and/or swith between 
> client and server ... it's true ?

I'm afraid so. EAP happens before IPs are assigned, and doesn't interact 
with DHCP.

> 
> I have also try other solutions (with syslog-ng who get the ip address 
> in the log and insert in acct table ..., a scripts with omshell who 
> permit to freeradius to indicate at dhcpd what ip address give at this 
> client ...) BUT I think this solution are very unstable ...

The omshell one is a clever idea. But you're right, it's not very stable.

I think for the moment processing the DHCP logs or lease database and 
adding it to the radius accouting table will be needed.

The other way would be to get a list of IP->mac (either by processing 
the logs or "snmpwalk ipnettomedia" of the router) and dump them to a 
file, then use the "hints" and an "exec" module to insert the IP into 
the accounting requests. Obviously the accounting-start will happen 
before you have that info, but the interim and accounting-stop should be 
ok. So, something like this in "hints":

DEFAULT
	Framed-IP-Address = `{exec:lookup_ip}`

and in radiusd.conf:

modules {
   exec lookup_ip {
     wait = yes
     program = "/usr/local/bin/lookup_ip"
     input_pairs = request
   }
}

If you have access to the DHCP servers leases database (assuming ISC 
dhcpd) then the following would work as a script (or something like it - 
this is untested):

#!/bin/sh

BUF=`mktemp`
if [ $? -ne 0 ]
then
	exit 1
fi
trap "rm -f $BUF" EXIT

# Radius attributes are in environment variables
# Calling-Station-Id is...
MAC="$CALLING_STATION_ID"
if [ -z "$MAC" ]
then
	exit 1
fi

DHCP_LEASES=/var/lib/dhcp/dhcpd.leases

awk -v MAC=$MAC '
/^#/ { next; }
/^lease / { our_lease=0; ip=$2; next; }
/^}/ {
     if (our_lease) {
         if (state!="active")
             del leases[ip];
         else
             leases[ip] = mac;
     }
     ip = "";
     our_lease = 0;
     next;
}
{
     if (!ip)
         next;
     if ($1=="binding" && $2=="state") {
         state = $3;
         gsub(/;/,"",state);
     } else if ($1=="hardware" && $2=="ethernet") {
         mac = $3;
         gsub(/;/,"",mac);
         if (mac==MAC) {
             our_lease = 1;
         }
     }
}
END {
     for (ip in leases) {
         print ip, mac;
     }
}' $DHCP_LEASES >$BUF

NUM_LEASES=`wc -l $BUF | awk '{ print $1 }'`
if [ $NUM_LEASES -gt 1 ]
then
	# >1 lease for this mac, help!
         exit 1
elif [ $NUM_LEASES -ne 1 ]
then
	# no leases
	exit 1
else
	ip=`cut -d ' ' -f 1 $BUF`
	echo $ip
fi

> 
> What do you think about this ?
> Have you an other solution ?
> 
> Sorry my english is rusty ... and thanks for your answers

Your english is better than my - well, anything!

> 
> Regards,
> 
> Psymad

Hope that helps