Thanks Matthew for confirming the process. I had managed to figure out exactly as you had mentioned whereby I would be getting the IP address during post-auth, thank you for the confirmation. I looked at the vlan id and then based on that set the pool and then called dhcp_sqlippool. I figured that this was the best way to get an IP address for the client based on the calling-station-id so that I could then have an IP address for accounting start. This also meant that the client would be served the same IP address based on its mac address once it had the access accept and hit up the DHCP server for an IP address. In my testing, this works well. When you mentioned accounting-start, I could not find any reference to it other than assume you are referring to the accounting section the the sites-enabled/default config. My other thought from research is to use the copy-acct-to-home-server, would that be correct, or am I wrong? Fixing the NAS relies on the vendor, which we have been advised that are working on it. However, I was of the mindset of building an interim solution until they release the fix. Thank you once again for you assistance. - Kind Regards - Byron Jeffery - On Wed, Aug 2, 2017 at 6:33 PM, Matthew Newton <mcn@freeradius.org> wrote:
On Wed, 2017-08-02 at 09:18 +1000, Byron Jeffery wrote:
I guess the missing puzzle piece for me is at which point does the client device obtain their IP address from the DHCP server, during post-auth or after post-auth? If it is after post-auth, then I am correct in saying that there would be no purpose in querying the FreeRadius DHCP IP pool database as the IP Address would not have been assigned by then?
Generally speaking the order is - Authentication happens first, to permit the device access to the network. Then the Accounting-Start as the new session is created. Then DHCP as the device tries to get an address. Finally you might get an Accounting Interim-Update with the new DHCP-assigned IP address for the session in it.
So to do what you want to do you probably need to assign the IP address for the device in post-auth (at the end of authentication) keyed off the Calling-Station-ID, which is hopefully the device MAC address. You could send that back as Framed-IP-Address if you really want, but it sounds like the NAS won't care anyway.
Then on Accounting-Start you can key off Calling-Station-ID to pull that IP address out of the database and create your own Framed-IP- Address, should you need it at this stage.
Then in DHCP rather than assigning an IP address you should again just look it up in the database (again, Calling-Station-ID should be the MAC address) and send that back to the client. If there's nothing in the database then just refuse to send anything back, as the client hasn't been through authentication properly. And be careful around DHCP renewals and when IPs expire from the database for a particular device.
As a start you should look at moving the IP address assignment from the DHCP authorize config into the RADIUS post-auth section, and then tweak from there.
Or fix/replace the NAS so it correctly reports the device's IP address, which would probably be a lot simpler...
-- Matthew
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html