On 10/01/2018, at 9:33 AM, Artur Jaroschek <artur@jaroschek.net> wrote:
Even when I manually disconnect my VPN client (causing a deallocation message on freeradius-server side), and reconnect again (after a while) I will get the "other" IP. Is this inteded?
Once an IP is deallocated, it is deallocated. There is no information stored about what IP was given out previously.
What must our VPN client send while re-keying to not cause freeradius to swap the IP but to just "renew" it? BTW does "renew" mean it just updates some meta-date in the DB?
Your NAS (i.e. VPN server) is probably sending an accounting Stop message. Tell it to not send that when re-keying. I would be surprised if it was simply re-keying, as it sounds like it is sending a new Access-Request as well (which is giving it the new IP). Why is it doing that? Is that what you expect? I would have a chat to your VPN vendor. Surely a re-key of an existing session doesn’t mean re-auth?
Running the server in debugging mode will tell you what's going on...
The submitted logs were captured while running the server with "-xx”
There are a number of places that say things like: "Always use radiusd -X when debugging!”
But if the NAS sends a STOP before renewing the IP, well, that explains everything. The original session is gone, so a new lease is allocated.
When the old session is gone, why not handing out the same IP again for the new session, as long its the same requester, e.g. 4d7b2dcc10b9fa1a049fc4d1d05170c0 in my example?
Because there is no information stored to relate the old deallocated IP to the new session. -- Nathan Ward