sqlippool IP conflict problem

Fajar A. Nugraha list at fajar.net
Tue Dec 20 08:37:41 CET 2011

2011/12/20 Коньков Евгений <kes-kes at yandex.ru>:
> I see that expire_time keep updated while radiusd will receive
> interim-update packets. BUT radius listen on UPD port and this
> mean that: no garantee that server will receive interim-update packet. So there
> is a chance to lose two interim packets for current user.


> Therefore IP leased for current user will be countered as expired and may be
> leased for other user causing IP conflict error.

That's why I suggested two times Acct-Interim-Interval would be a good
choice. If one packet goes missing hopefully we'll be able to get the
next one. If you're feeling paranoid you could use a big timeout value
(e.g. 10x Acct-Interim-Interval), with the consequence that it will
take longer before IP addresses used by stale sessions can be reused.

> I think there must be a mechanism to force check that IP is *really*
> unused before freeing or 're lease' it.

It's a tradeoff, really. In theory, you COULD write your own module
that verifies whether a user is online. Kinda like what simultaneous
use using radutmp & checkrad does, which performs checking using
snmp/telnet/ssh to the NAS. However that would inflict heavy
performance penalty. It might be acceptable if you only handle (for
example) 10 AAA/minute, but it won't be feasible if you need to handle
10 AAA/second.

For most practical purposes, the current sqlippool is good enough. Not
perfect, but good enough.


More information about the Freeradius-Users mailing list