Duplicate release of IP ?

[Alan DeKok]

adrian.sandu at asandu.eu wrote:
> For some time now, I've been getting some complaints that some users are
> getting duplicate ips and not doing any traffic ..

  FreeRADIUS just assigns IPs.  It asks the NAS to tell the user about
the IP.  It asks the NAS to tell FreeRADIUS when the user is done with
the IP.

  Some NASes lie.  This means that FreeRADIUS thinks the IP is unused,
but the NAS has still marked it as active for that user.

> radius is running with -xx for the past few days so I can provide logs ..
> 828M    /var/log/radius/radius.log

  That's good... if a little large.

> I've tried looking through them but can't figure out why it would do
> that ..

  Find an IP address which you think has been assigned to two people.
Look through the logs for that IP address.  You will see FreeRADIUS
assigning the IP to the user.  The Access-Accept will contain the IP,
and a Session-Timeout.

  Next, look for accounting packets for that user, which contain the IP.
 This means that the NAS has still marked the IP as active for the user.

  Next, look for an accounting packet for that user which contains the
IP, and is "Acct-Status-Type = Stop".  If it appears, FreeRADIUS should
mark that IP as free.

  If there is no accounting "stop", then the NAS isn't kicking the user
offline.  Or, it's kicking user offline and not telling FreeRADIUS.

  Next, look at the packets between the users original login, and then
the next "Session-Timeout" seconds.  You will see that the *only*
references to the IP address will be in accounting packets for that
user.  Of course, there may be no accounting packets.

  After that Session-Timeout has passed, FreeRADIUS is allowed to re-use
the IP.  This is because the NAS is *supposed* to kick the user offline.

  In short, the "duplicate IP" problem is almost always the NAS.

  So... what NAS are you using?  Is it doing RADIUS properly?

  Alan DeKok.