IP Pool management and Re-authentication

Thibault Le Meur Thibault.LeMeur at supelec.fr
Thu Mar 22 10:26:46 CET 2007 

> 
> > Thibault Le Meur wrote:
> > > I've patched the radiusplugin to add Framed-IP-Address to
> > the re-auth
> > > request but rlm_ippool still allocates a new IP Address
> > (I'm using FR
> > > 1.1.4).
> > 
> >   Ok.  It seems like rlm_ippool should be updated to look for
> > Framed-IP-Address in the request.
> > 
> >   That would be very useful, and would solve the problem
> > you're seeing.
> > 
> >   Alan DeKok.
> 
> Do you mean updated (to 1.1.5) or patched ?

Never mind I found the answer by looking at the code from rlm_ippool.c.

Currently, when an Access-Request arrives, rlm_ippool:
* looks in the pool for an 'active' entry (flagged as active) with the
key=NAS-IP/NAS-port
* If no entry is found
  ==> rlm_ippool allocates an @IP from the pool
* If an active entry is found
  ==> it is considered as a stale entry and is marked as not active
(active=0)
  ==> then a new IP is allocated

If rlm_ippool is 'updated' to take Framed-IP-Address into account what
shoudl be the behaviour ?

A simple patch would consist of doing nothing at Post-Auth time if the
request contains a Framed-IP-Address.

A more complex patch should handle several different cases and decide what
to do. For instance:
* when Access-Request is received, look for an active entry in the pool with
the search key NAS-IP/NAS-port
* If no entry is found
  * If there is No Framed-IP-Address attribute in the Request
    ==> allocate a new @IP from the pool
  * If there is a Framed-IP-Address attribute in the Request
    * If the Framed-IP-Address belongs to the IP-range of the pool (but it
is not assigned to this NAS-IP/NAS-port)
    ==> then issue a warning log (especially if this IP is allocated to an
active entry for another NAS-IP/NAS-port)
    ==> do not allocate a new @IP ??? (Or should we enforce a new IP,
without beeing sure the NAS will be able to use it ?)
    * If the Framed-IP-Address doesn't belong to the IP-range of the pool
    ==> do not allocate a new @IP
* If an entry is found (there is already an allocated @IP for this
NAS-IP/NAS-port)
  * If there is a Framed-IP-Address attribute in the Request
    * If this Framed-IP-Address is the same as the allocated IP from the
entry found
      ==> then do nothing (no stale marking, no new @IP allocation)
    * If this Framed-IP-Address is NOT the same as the allocated IP from the
entry found
      ==> then mark the current entry as staled (active=0)
      ==> report an error in the log because something went wrong
(especially if the Framed-IP-Address received is allocated to another
NAS-IP/NAS-port entry in the pool)
      ==> do not allocate a new @IP
  * If there is No Framed-IP-Address attribute in the Request
      ==> then mark the current entry as staled (active=0)
      ==> allocate a new @IP

What do you think ?

Is it already done in current developpement tree ?

Regards,
Thibault Le Meur

More information about the Freeradius-Users mailing list