IP Pool management and Re-authentication
Alan DeKok
aland at deployingradius.com
Tue Mar 20 18:22:24 CET 2007
Thibault Le Meur wrote:
> Openvpn sometimes needs to renegotiate the connections and thus sends
> authentication requests while the connection is still active (with an
> already assigned IP address): this causes FR to assign a new IP address from
> the pool (which seems normal since FR has no way to know this is a
> renegotiation).
So why isn't the radiusplugin telling FreeRADIUS what the old IP
address was?
> I'd like to patch the openvpn-radiusplugin so that an extra attribute is
> sent in the Access-Accept packets so that FR will be able to differentiate
> Initial and Renegociation Access-Accept requests and only assign new IP
> address from the pool on Initial Access-Accept requests.
I think you mean Access-Request packet. If it doesn't have a
Framed-IP-Address attribute, FreeRADIUS can allocate & send one in an
Access-Accept. If openvpn re-authenticates a session with an existing
IP address, it should send Framed-IP-Address in the Access-Request.
> Do you know a standard Radius attribute that could be used for this ?
> As far as you know, are there other NASes using such a quirk ? Does this
> make sense ?
It makes sense.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
More information about the Freeradius-Users
mailing list