IP Pool management and Re-authentication

Thibault Le Meur Thibault.LeMeur at supelec.fr
Wed Mar 21 15:56:03 CET 2007


Hi Alan,

> > > I'd like to patch the openvpn-radiusplugin so that an extra
> > attribute
> > > is sent in the Access-Accept packets so that FR will be able to
> > > differentiate Initial and Renegociation Access-Accept 
> requests and 
> > > only assign new IP address from the pool on Initial Access-Accept 
> > > requests.
> > 
> >   I think you mean Access-Request packet.
> 
> Sorry for the mistake, I meant Access-Request of course
> 
> >  If it doesn't have
> > a Framed-IP-Address attribute, FreeRADIUS can allocate & send 
> > one in an Access-Accept.
> >  If openvpn re-authenticates a 
> > session with an existing IP address, it should send 
> > Framed-IP-Address in the Access-Request.
> 
> I get you right, my patch may be as easy as to make 
> radiusplugin add the Framed-IP-Address attribute in the 
> Access-Request packet with the already assigned IP Address 
> when it is a renegotiation.

I've patched the radiusplugin to add Framed-IP-Address to the re-auth
request but rlm_ippool still allocates a new IP Address (I'm using FR
1.1.4).

I can see this in radiusd -X:
modcall: entering group postauth.ovpn for request 3
rlm_ippool: Searching for an entry for nas/port: 192.168.1.1/1
rlm_ippool: Found a stale entry for ip/port: 10.1.1.1/1
rlm_ippool: num: 0
rlm_ippool: Searching for an entry for nas/port: 192.168.1.1/1
rlm_ippool: Allocating ip to nas/port: 192.168.1.1/1
rlm_ippool: num: 1
rlm_ippool: Allocated ip 10.1.1.2 to client on nas 192.168.1.1,port 1
  modcall[post-auth]: module "Ovpn_Main_Pool" returns ok for request 3

Where:
* 192.168.1.1 is the NAS IP Address
* 10.1.1.1 is the IP address allocated at connection time
* 10.1.1.2 is the IP address allocated at re-authentication time

Maybe I didn't understand you well: 
* Is rlm_ippool supposed to return NOOP if a Framed-IP-Address attribute is
present in the Request ?
OR
* is it up to me to bypass the rlm_ippool (by setting another
Post-Auth-Type) when a Re-Auth Request is performed (that is to say when a
Framed-IP-Address attribute is present in the Request) ?

Thanks in advance,
Thibault





More information about the Freeradius-Users mailing list