The only place I found reference to the IP Pool is in the site-enabled config file. So I added: if ("%{proxy_reply:Framed-IP-Address}" == "255.255.255.254") { main_pool } Since it should only assign from the pool if the Framed-IP-Address we get back is 255.255.255.254, and not a statically assigned IP. There is an error in the debug when a user tries to login, but it seems to run the rule. But it still doesn't seem to assign from the IP pool. Please could you take a look at the debug and comment/suggest? rad_recv: Access-Request packet from host 127.0.0.1 port 32791, id=155, length=77 User-Name = "user@dsl.realm.co.uk" User-Password = "s3cr3t" NAS-IP-Address = 127.0.0.1 NAS-Port = 111 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: Looking up realm "dsl.realm.co.uk" for User-Name = "user@dsl.realm.co.uk" rlm_realm: Found realm "dsl.realm.co.uk" rlm_realm: Proxying request from user grahamdr to realm dsl.realm.co.uk rlm_realm: Adding Realm = "dsl.realm.co.uk" rlm_realm: Preparing to proxy authentication request to realm "dsl.realm.co.uk" ++[suffix] returns updated rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop users: Matched entry DEFAULT at line 8 ++[files] returns ok expand: %{User-Name} -> user@dsl.realm.co.uk rlm_sql (sql): sql_set_user escaped user --> 'user@dsl.realm.co.uk' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'user@dsl.realm.co.uk' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'user@dsl.realm.co.uk' ORDER BY id expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT groupname FROM usergroup WHERE username = 'user@dsl.realm.co.uk' ORDER BY id rlm_sql_mysql: query: SELECT groupname FROM usergroup WHERE username = 'user@dsl.realm.co.uk' ORDER BY id rlm_sql (sql): Released sql socket id: 4 rlm_sql (sql): User user@dsl.realm.co.uk not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop +- entering group pre-proxy expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m %d -> /usr/local/var/log/radius/radacct/127.0.0.1/pre-proxy-detail-20080212 rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m %d expands to /usr/local/var/log/radius/radacct/127.0.0.1/pre-proxy-detail-20080212 expand: %t -> Tue Feb 12 13:22:36 2008 ++[pre_proxy_log] returns ok Sending Access-Request of id 222 to 10.0.0.18 port 1645 User-Name = "user@dsl.realm.co.uk" User-Password = "s3cr3t" NAS-IP-Address = 127.0.0.1 NAS-Port = 111 Proxy-State = 0x313535 Proxying request 0 to home server 10.0.0.18 port 1645 Sending Access-Request of id 222 to 10.0.0.18 port 1645 User-Name = "user@dsl.realm.co.uk" User-Password = "s3cr3t" NAS-IP-Address = 127.0.0.1 NAS-Port = 111 Realm = "dsl.realm.co.uk" Realm = "dsl.realm.co.uk" Proxy-State = 0x313535 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Accept packet from host 10.0.0.18 port 1645, id=222, length=107 Class = 0x5342522d434c20444e3d22323035333632222041543d22323030222055533d22222053493d 22323838312200 Session-Timeout = 0 Framed-IP-Address = 255.255.255.254 << this should match the rule. Framed-IP-Netmask = 255.255.255.255 Acct-Interim-Interval = 7200 Framed-Protocol = PPP Service-Type = Framed-User Proxy-State = 0x313535 +- entering group post-proxy expand: %{Realm} -> dsl.realm.co.uk attr_filter: Matched entry DEFAULT at line 103 ++[attr_filter.post-proxy] returns updated ++[eap] returns noop +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: Proxy reply, or no User-Name. Ignoring. ++[suffix] returns noop ++[eap] returns noop users: Matched entry DEFAULT at line 8 ++[files] returns ok expand: %{User-Name} -> user@dsl.realm.co.uk rlm_sql (sql): sql_set_user escaped user --> 'user@dsl.realm.co.uk' rlm_sql (sql): Reserving sql socket id: 3 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'user@dsl.realm.co.uk' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'user@dsl.realm.co.uk' ORDER BY id expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT groupname FROM usergroup WHERE username = 'user@dsl.realm.co.uk' ORDER BY id rlm_sql_mysql: query: SELECT groupname FROM usergroup WHERE username = 'user@dsl.realm.co.uk' ORDER BY id rlm_sql (sql): Released sql socket id: 3 rlm_sql (sql): User user@dsl.realm.co.uk not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type rad_check_password: Auth-Type = Accept, accepting the user Login OK: [user@dsl.realm.co.uk/s3cr3t] (from client localhost port 111) +- entering group post-auth ++? if ("%{proxy_reply:Framed-IP-Address}" == "255.255.255.254") WARNING: Unknown module "proxy_reply" in string expansion "%{proxy_reply:Framed-IP-Address}" expand: %{proxy_reply:Framed-IP-Address} -> ? Evaluating ("%{proxy_reply:Framed-IP-Address}" == "255.255.255.254") -> FALSE ++? if ("%{proxy_reply:Framed-IP-Address}" == "255.255.255.254") -> FALSE rlm_sql (sql): Processing sql_postauth expand: %{User-Name} -> user@dsl.realm.co.uk rlm_sql (sql): sql_set_user escaped user --> 'user@dsl.realm.co.uk' expand: %{User-Password} -> s3cr3t expand: INSERT INTO radpostauth (user, pass, reply, date) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (user, pass, reply, date) VALUES ( 'user@dsl.realm.co.uk', 's3cr3t', 'Access-Accept', '2008-02-12 13:22:36') expand: /usr/local/var/log/radius/sqltrace.sql -> /usr/local/var/log/radius/sqltrace.sql rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (user, pass, reply, date) VALUES ( 'user@dsl.realm.co.uk', 's3cr3t', 'Access-Accept', '2008-02-12 13:22:36') rlm_sql (sql): Reserving sql socket id: 2 rlm_sql_mysql: query: INSERT INTO radpostauth (user, pass, reply, date) VALUES ( 'user@dsl.realm.co.uk', 's3cr3t', 'Access-Accept', '2008-02-12 13:22:36') rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok Sending Access-Accept of id 155 to 127.0.0.1 port 32791 Session-Timeout = 0 Framed-IP-Address = 255.255.255.254 Framed-IP-Netmask = 255.255.255.255 Finished request 0. -----Original Message----- From: freeradius-users-bounces+tony=eurisp.co.uk@lists.freeradius.org [mailto:freeradius-users-bounces+tony=eurisp.co.uk@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 12 February 2008 12:41 To: FreeRadius users mailing list Subject: Re: Different IP Pool per proxied realm Tony Spencer wrote:
I currently have this in radiusd.conf.
That is NOT the only reference to the "ippool" module. The IP's get allocated *somewhere* via a reference to the "main_pool" module. You must have edited the configuration files to do this, because it is *not* enabled in the default configuration.
I've tried adding the statement before and inside this but even static assigned users get an address from the pool.
Umm... please go read "man unlang". It is a *policy* language for *processing* packets. It does not apply to module configurations. See the default configuration files for examples of how to use "if()". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008 12:21 No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008 12:21