run script on dhcp events

Mon Jan 27 07:33:41 CET 2020

24.01.2020 22:00, Arran Cudbard-Bell пишет:
>
>>
>> Sorry, my question was too unclear, I will explain.
>>
>> I develop new university WiFi captive portal and use freeradius as authentication/accounting and dhcp server. I call script from DHCP-Request section to set firewall rule (because i need supplicant MAC-address and issued IP-address). And i need to know where i can call script to remove firewall rule after supplicant disconnected from WiFi network.
>>
>> I tried to call a script (that remove firewall rule) from accounting section when Acct-Status-Type equal Stop, but it is work only for standalone wifi access point without neighbors with same SSID. But when the supplicant passes through the Wi-Fi zone and communicates with one access point, and then with another, the scheme described above stops working, because after receiving the acct-stop packet from the first access point, the firewall rule is deleted, but does not create a new one (there may not be a new dhcp-request).
> If that's really what's occurring and you're not just misinterpreting the accounting messages then it's a bug in the RADIUS accounting implementation on your APs and you should complain to your vendor.
>
> The APs should not send a Stop message unless the session is actually terminated.  As the user continues to use the network on the new AP, then the session has not been terminated, and a stop should not have been sent.
>
> I suspect what's actually happening is the original AP is sending a Stop and Start pair, but the Stop from AP1, is arriving after the Start from AP2, and is deleting the active firewall state.  If that's the case, fix your SQL queries so that doesn't happen.
Yes, I also thought about it, I will check, thanks.
>
>> I want to try to call script that deletes a firewall rule after releasing the IP address of the supplicant or after dhcp decides that the supplicant has not confirmed the address and marks the address as unoccupied. But i don't know where i can do it.
>>
>> Maybe you will advise me something?
> If a client roams out of range of the wireless network how is it going to send a DHCP release to the DHCP server?

In this case, the DHCP release will never occur, so I asked how the 
script could be executed when the server decides that the client is lost 
and marks its IP address as unoccupied.

Can I run the script somewhere here ( in sqlippool_log_clear, or 
somewhere else )?

sqlippool dhcp_sqlippool {
...

         sqlippool_log_exists = "DHCP: Existing IP: 
%{reply:Framed-IP-Address} (did %{Called-Station-Id} cli 
%{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"

         sqlippool_log_success = "DHCP: Allocated IP: 
%{reply:Framed-IP-Address} from %{control:${pool_name}} (did 
%{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user 
%{User-Name})"

         sqlippool_log_clear = "DHCP: Released IP %{Framed-IP-Address} 
(did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"

         sqlippool_log_failed = "DHCP: IP Allocation FAILED from 
%{control:${pool_name}} (did %{Called-Station-Id} cli 
%{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"

         sqlippool_log_nopool = "DHCP: No ${pool_name} defined (did 
%{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user 
%{User-Name})"

}

I want to make sure that stop packets were not lost.

>
> -Arran
>
> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> FreeRADIUS Development Team
>
> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-- 
Evgeniy