Ip pool doesn't works properly

Dustin Doris freeradius at mail.doris.cc
Tue Jun 7 15:35:21 CEST 2005 

On Tue, 7 Jun 2005, Simone Giovanardi wrote:

> > Hi,
> >
> >  How can I configure FreeRADIUS to assign IP address dinamically with Ip
> >  Pool when there is a successful authentication from Cisco 7200 access
> >  server with FreeRADIUS 1.0.0?
> >
> > Like this it works sending out only 2 ip address...always the same...
>
> Is your Cisco sending a unique nasport/nasip for each client?  Ip pool
> uses the nasip/nasport to identify the user.
>
> YES
>
> FROM LOGS SHOWED BELOW, IT SENDS OUT THE SAME TWO ADDRESS AND
>
> DOESN'T KEEP ANYONE ENTRY IN YOUR DATABASE .IPPOOL (VIEWED WITH rlm_ippool_tool -a ...)
>

Unique nasip/nasport.  Unique being the key word.  Your NAS is sending
over nas-port of 0 for all requests.  This makes it look like its the same
user.


> rad_recv: Access-Request packet from host 83.216.176.254:21661, id=219, length=95
>         Framed-Protocol = PPP
>         User-Name = "font0001@"
>         CHAP-Password = 0x01af73ef6670b0a4a65130cb133a902c2f
>         NAS-Port-Type = Virtual
>         NAS-Port = 0
>         Service-Type = Framed-User
>         NAS-IP-Address = 83.216.176.254

> rlm_ippool: Searching for an entry for nas/port: 83.216.176.254/0
> rlm_ippool: Found a stale entry for ip/port: 83.216.178.213/0
> rlm_ippool: num: 0
> rlm_ippool: Searching for an entry for nas/port: 83.216.176.254/0
> rlm_ippool: Allocating ip to nas/port: 83.216.176.254/0
> rlm_ippool: num: 1
> rlm_ippool: Allocated ip 83.216.178.190 to client on nas 83.216.176.254,port 0


> rad_recv: Access-Request packet from host 83.216.176.254:21661, id=220, length=95
>         Framed-Protocol = PPP
>         User-Name = "font0001@"
>         CHAP-Password = 0x01852ebbe42598a17861fa2b06de488ff7
>         NAS-Port-Type = Virtual
>         NAS-Port = 0
>         Service-Type = Framed-User
>         NAS-IP-Address = 83.216.176.254
> rlm_ippool: Searching for an entry for nas/port: 83.216.176.254/0
> rlm_ippool: Found a stale entry for ip/port: 83.216.178.190/0
> rlm_ippool: num: 0
> rlm_ippool: Searching for an entry for nas/port: 83.216.176.254/0
> rlm_ippool: Allocating ip to nas/port: 83.216.176.254/0
> rlm_ippool: num: 1
> rlm_ippool: Allocated ip 83.216.178.213 to client on nas 83.216.176.254,port 0



> rad_recv: Access-Request packet from host 83.216.176.254:21661, id=226, length=80
>         Framed-Protocol = PPP
>         User-Name = "satc0002@"
>         CHAP-Password = 0x0193da4f830e1c9dfa12364d6122880c8f
>         NAS-Port-Type = Virtual
>         NAS-Port = 0
>         Service-Type = Framed-User
>         NAS-IP-Address = 83.216.176.254

> rlm_ippool: Found a stale entry for ip/port: 83.216.178.213/0
> rlm_ippool: num: 0
> rlm_ippool: Searching for an entry for nas/port: 83.216.176.254/0
> rlm_ippool: Allocating ip to nas/port: 83.216.176.254/0
> rlm_ippool: num: 1
> rlm_ippool: Allocated ip 83.216.178.190 to client on nas 83.216.176.254,port 0


Notice the nasip and nasport are the same for each request.  Ip_pool keys
of the combination of nasip/nasport to determine the UNIQUE user.  You
need to configure your NAS to send over a unique nasport for each user.

In cisco, the nas-port is a 32 bit number.

Typically, the first 8 bits make up the interface.  This is broken down
into 4 bits/1 bit/3 bits of slot/mod/port.  The second 8 bits makes up the
vpi and the last 16 make up the vci.

So if you were located in interface 1/0/3 with a PVC of 33/48, the
Nas-Port would represent that.

Read the Cisco documentation.  Try something like this.

Router(config)# radius-server attribute nas-port format d

In order to use ip-pool you need to have a unique nasport sent over or
modify the code to trigger off something else.

Hope that helps.

-Dusty Doris

More information about the Freeradius-Users mailing list