-------- Original-Nachricht --------
Datum: Fri, 30 Jan 2009 11:51:20 +0100 Von: tnt@kalik.net An: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Betreff: Re: IP-Assignment with sqlippool based on nas-ip-address
Now, the "behaviour" of the server changed in the way, that the freeradius reserves only one ip-address per user. if the same user logs in again on the same nas (without accounting-stop-packet before), the old ip-address is freed and the user receives a new one.
That should happen only if IP allocation has expired (see lease-duration in sqlippool.conf). There is another allocate-find query that issues random IPs.
Hmmm, maybe there is another problem in my config. I tried two requests within ten seconds. Attached you'll find the debug. During the second request the first ip-address is freed and can be used again. The lease-duration has the standard value of 3600, so this can't be the reason. This is the table radippool after the second request: +-----------+-----------------+--------------+---------------------+----------+----------+ | pool_name | framedipaddress | nasipaddress | expiry_time | username | pool_key | +-----------+-----------------+--------------+---------------------+----------+----------+ | poolUK | 10.10.10.10 | 10.98.6.95 | 2009-02-02 10:14:32 | peter2 | | | poolUK | 10.10.10.11 | | 2009-02-02 09:14:31 | | 0 | +-----------+-----------------+--------------+---------------------+----------+----------+ debug ------------ rad_recv: Access-Request packet from host 10.98.6.95 port 3099, id=194, length=46 User-Name = "peter2" User-Password = "peter2" +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.98.6.95/auth-detail-20090202 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.98.6.95/auth-detail-20090202 [auth_log] expand: %t -> Mon Feb 2 09:13:45 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "peter2", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 183 ++[files] returns ok [sql] expand: %{User-Name} -> peter2 [sql] sql_set_user escaped user --> 'peter2' rlm_sql (sql): Reserving sql socket id: 0 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'peter2' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'peter2' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'peter2' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'peter2' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'peter2' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'peter2' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'UK' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'UK' ORDER BY id [sql] User found in group UK [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'UK' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'UK' ORDER BY id rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "peter2" [pap] Using clear text password "peter2" [pap] User authenticated successfully ++[pap] returns ok +- entering group post-auth {...} rlm_sql (sql): Reserving sql socket id: 4 [sqlippool] expand: %{User-Name} -> peter2 [sqlippool] sql_set_user escaped user --> 'peter2' [sqlippool] expand: START TRANSACTION -> START TRANSACTION rlm_sql_mysql: query: START TRANSACTION [sqlippool] expand: UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NOW() - INTERVAL 1 SECOND WHERE pool_key = '%{NAS-Port}' AND nasipaddress = '%{Nas-IP-Address}' -> UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NOW() - INTERVAL 1 SECOND WHERE pool_key = '' AND nasipaddress = '10.98.6.95' rlm_sql_mysql: query: UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NOW() - INTERVAL 1 SECOND WHERE pool_key = '' AND nasipaddress = '10.98.6.95' [sqlippool] expand: SELECT framedipaddress FROM radippool WHERE pool_name = '%{control:Pool-Name}' AND expiry_time < NOW() ORDER BY (username <> '%{User-Name}'), (callingstationid <> '%{Calling-Station-Id}'), expiry_time LIMIT 1 FOR UPDATE -> SELECT framedipaddress FROM radippool WHERE pool_name = 'poolUK' AND expiry_time < NOW() ORDER BY (username <> 'peter2'), (callingstationid <> ''), expiry_time LIMIT 1 FOR UPDATE rlm_sql_mysql: query: SELECT framedipaddress FROM radippool WHERE pool_name = 'poolUK' AND expiry_time < NOW() ORDER BY (username <> 'peter2'), (callingstationid <> ''), expiry_time LIMIT 1 FOR UPDATE [sqlippool] expand: UPDATE radippool SET nasipaddress = '%{NAS-IP-Address}', pool_key = '%{NAS-Port}', callingstationid = '%{Calling-Station-Id}', username = '%{User-Name}', expiry_time = NOW() + INTERVAL 3600 SECOND WHERE framedipaddress = '10.10.10.11' -> UPDATE radippool SET nasipaddress = '10.98.6.95', pool_key = '', callingstationid = '', username = 'peter2', expiry_time = NOW() + INTERVAL 3600 SECOND WHERE framedipaddress = '10.10.10.11' rlm_sql_mysql: query: UPDATE radippool SET nasipaddress = '10.98.6.95', pool_key = '', callingstationid = '', username = 'peter2', expiry_time = NOW() + INTERVAL 3600 SECOND WHERE framedipaddress = '10.10.10.11' [sqlippool] Allocated IP 10.10.10.11 [0b0a0a0a] [sqlippool] expand: COMMIT -> COMMIT rlm_sql_mysql: query: COMMIT rlm_sql (sql): Released sql socket id: 4 [sqlippool] expand: Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name}) -> Allocated IP: 10.10.10.11 from poolUK (did cli port user peter2) Allocated IP: 10.10.10.11 from poolUK (did cli port user peter2) ++[sqlippool] returns ok ++[exec] returns noop Sending Access-Accept of id 194 to 10.98.6.95 port 3099 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Netmask = 255.255.255.0 Framed-IP-Address = 10.10.10.11 Finished request 2. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 194 with timestamp +174 Ready to process requests. rad_recv: Access-Request packet from host 10.98.6.95 port 3114, id=120, length=46 User-Name = "peter2" User-Password = "peter2" +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.98.6.95/auth-detail-20090202 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.98.6.95/auth-detail-20090202 [auth_log] expand: %t -> Mon Feb 2 09:14:32 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "peter2", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 183 ++[files] returns ok [sql] expand: %{User-Name} -> peter2 [sql] sql_set_user escaped user --> 'peter2' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'peter2' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'peter2' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'peter2' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'peter2' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'peter2' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'peter2' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'UK' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'UK' ORDER BY id [sql] User found in group UK [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'UK' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'UK' ORDER BY id rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "peter2" [pap] Using clear text password "peter2" [pap] User authenticated successfully ++[pap] returns ok +- entering group post-auth {...} rlm_sql (sql): Reserving sql socket id: 2 [sqlippool] expand: %{User-Name} -> peter2 [sqlippool] sql_set_user escaped user --> 'peter2' [sqlippool] expand: START TRANSACTION -> START TRANSACTION rlm_sql_mysql: query: START TRANSACTION [sqlippool] expand: UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NOW() - INTERVAL 1 SECOND WHERE pool_key = '%{NAS-Port}' AND nasipaddress = '%{Nas-IP-Address}' -> UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NOW() - INTERVAL 1 SECOND WHERE pool_key = '' AND nasipaddress = '10.98.6.95' rlm_sql_mysql: query: UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NOW() - INTERVAL 1 SECOND WHERE pool_key = '' AND nasipaddress = '10.98.6.95' [sqlippool] expand: SELECT framedipaddress FROM radippool WHERE pool_name = '%{control:Pool-Name}' AND expiry_time < NOW() ORDER BY (username <> '%{User-Name}'), (callingstationid <> '%{Calling-Station-Id}'), expiry_time LIMIT 1 FOR UPDATE -> SELECT framedipaddress FROM radippool WHERE pool_name = 'poolUK' AND expiry_time < NOW() ORDER BY (username <> 'peter2'), (callingstationid <> ''), expiry_time LIMIT 1 FOR UPDATE rlm_sql_mysql: query: SELECT framedipaddress FROM radippool WHERE pool_name = 'poolUK' AND expiry_time < NOW() ORDER BY (username <> 'peter2'), (callingstationid <> ''), expiry_time LIMIT 1 FOR UPDATE [sqlippool] expand: UPDATE radippool SET nasipaddress = '%{NAS-IP-Address}', pool_key = '%{NAS-Port}', callingstationid = '%{Calling-Station-Id}', username = '%{User-Name}', expiry_time = NOW() + INTERVAL 3600 SECOND WHERE framedipaddress = '10.10.10.10' -> UPDATE radippool SET nasipaddress = '10.98.6.95', pool_key = '', callingstationid = '', username = 'peter2', expiry_time = NOW() + INTERVAL 3600 SECOND WHERE framedipaddress = '10.10.10.10' rlm_sql_mysql: query: UPDATE radippool SET nasipaddress = '10.98.6.95', pool_key = '', callingstationid = '', username = 'peter2', expiry_time = NOW() + INTERVAL 3600 SECOND WHERE framedipaddress = '10.10.10.10' [sqlippool] Allocated IP 10.10.10.10 [0a0a0a0a] [sqlippool] expand: COMMIT -> COMMIT rlm_sql_mysql: query: COMMIT rlm_sql (sql): Released sql socket id: 2 [sqlippool] expand: Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name}) -> Allocated IP: 10.10.10.10 from poolUK (did cli port user peter2) Allocated IP: 10.10.10.10 from poolUK (did cli port user peter2) ++[sqlippool] returns ok ++[exec] returns noop Sending Access-Accept of id 120 to 10.98.6.95 port 3114 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Netmask = 255.255.255.0 Framed-IP-Address = 10.10.10.10 Finished request 3. Going to the next request Waking up in 4.9 seconds.
Is there a possibility to assign also a specific subnetmask with the radippool-table? we have different subnetmasks for the different pools.
If these are PPP connections you should use 255.255.255.255 for all of them. That will match any gateway subnet and mask. You coral them with firewall.
I'm afriad, but this won't work in my environment. I will need a different subnetmask. Is it possible to use radgroupreply for this issue? Thanks. -- Jetzt 1 Monat kostenlos! GMX FreeDSL - Telefonanschluss + DSL für nur 17,95 Euro/mtl.!* http://dsl.gmx.de/?ac=OM.AD.PD003K11308T4569a