Freeradius Proxy - Framed IP Address Accounting attribute

[Matthew Newton]

On Wed, 2017-08-02 at 09:18 +1000, Byron Jeffery wrote:
> I guess the missing puzzle piece for me is at which point does the
> client
> device obtain their IP address from the DHCP server, during post-auth 
> or
> after post-auth?  If it is after post-auth, then I am correct in
> saying
> that there would be no purpose in querying the FreeRadius DHCP IP
> pool
> database as the IP Address would not have been assigned by then?

Generally speaking the order is - Authentication happens first, to
permit the device access to the network. Then the Accounting-Start as
the new session is created. Then DHCP as the device tries to get an
address. Finally you might get an Accounting Interim-Update with the
new DHCP-assigned IP address for the session in it.

So to do what you want to do you probably need to assign the IP address
for the device in post-auth (at the end of authentication) keyed off
the Calling-Station-ID, which is hopefully the device MAC address. You
could send that back as Framed-IP-Address if you really want, but it
sounds like the NAS won't care anyway.

Then on Accounting-Start you can key off Calling-Station-ID to pull
that IP address out of the database and create your own Framed-IP-
Address, should you need it at this stage.

Then in DHCP rather than assigning an IP address you should again just
look it up in the database (again, Calling-Station-ID should be the MAC
address) and send that back to the client. If there's nothing in the
database then just refuse to send anything back, as the client hasn't
been through authentication properly. And be careful around DHCP
renewals and when IPs expire from the database for a particular device.

As a start you should look at moving the IP address assignment from the
DHCP authorize config into the RADIUS post-auth section, and then tweak
from there.

Or fix/replace the NAS so it correctly reports the device's IP address,
which would probably be a lot simpler...

-- 
Matthew