Pre-allocation and association with framedipaddress and username in radius.radippool and effect if entry missing after a successful authentication

Thu Dec 3 03:12:06 CET 2015

On Dec 2, 2015, at 4:57 AM, Sophie Loewenthal <sophie.loewenthal at trimbletl.com> wrote:
>    We preallocate IP addresses with usernames into radius.radippool.

  Why?

  The IPPool table is for *dynamic* IPs.  If you want to assign static IPs, create a new table, and new SQL queries.

>  Our provisioning script runs every 5 mins, extracting new usernames from our application and then associates a framedipaddress with the new username in the correct pool based on their APN set in our application.

  Assigning IPs by User-Name is a bad idea.  Users can have multiple devices.  You should assign by MAC address.

  Create a table with one column for MAC, and one column for IP.  Then, look up the IP in the table:

post-auth {
	...
	if ("%{sql:SELECT ip FROM table WHERE MAC == mac...") {
		update reply {
			Framed-IP-Address := "%{sql:SELECT ip FROM table WHERE MAC == mac..."
	}
	else {
		# dynamic IP Pool assignment.
	}

}

> The SQL in ippool.conf has been modified, so for example,

  You've done a lot of work to convert a dynamic IP pool into a static one.  It's simpler to just create a static pool.

> This modified SQL should not return an IP address if the username is not associated with a framedipaddress even if the user is in radius.radcheck.

  Please read the documentation on how the sql module works.

  The SQL "radcheck" table has *nothing* to do with the sql IP pool module.  They are completely independent.

> How should radius respond if a user authenticates correctly and is in radcheck table, but did not have a username+framedipaddress in radius.radippool?

  You need to decide that.  And then configure the server appropriately.

> Should I expect to see a message in the logs like:
> Wed Dec  2 10:37:59 2015 : Info: IP Allocation FAILED from proximus-carli   (did proximus.trimbletl.com cli 327711110064161 port 23333 user 344544001217220)
> Wed Dec  2 10:44:42 2015 : Info: IP Allocation FAILED from vodafone   (did vodafone.trimbletl.com cli 31600044278 port 824256 user 344466031488608)

  You editing the IP pool configuration and broke it.  Don't do that.

  Alan DeKok.