Different IP Pool per proxied realm
Tony Spencer
tony at eurisp.co.uk
Tue Feb 12 14:32:39 CET 2008
The only place I found reference to the IP Pool is in the site-enabled
config file. So I added:
if ("%{proxy_reply:Framed-IP-Address}" == "255.255.255.254") {
main_pool
}
Since it should only assign from the pool if the Framed-IP-Address we get
back is 255.255.255.254, and not a statically assigned IP.
There is an error in the debug when a user tries to login, but it seems to
run the rule. But it still doesn't seem to assign from the IP pool.
Please could you take a look at the debug and comment/suggest?
rad_recv: Access-Request packet from host 127.0.0.1 port 32791, id=155,
length=77
User-Name = "user at dsl.realm.co.uk"
User-Password = "s3cr3t"
NAS-IP-Address = 127.0.0.1
NAS-Port = 111
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: Looking up realm "dsl.realm.co.uk" for User-Name =
"user at dsl.realm.co.uk"
rlm_realm: Found realm "dsl.realm.co.uk"
rlm_realm: Proxying request from user grahamdr to realm dsl.realm.co.uk
rlm_realm: Adding Realm = "dsl.realm.co.uk"
rlm_realm: Preparing to proxy authentication request to realm
"dsl.realm.co.uk"
++[suffix] returns updated
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
users: Matched entry DEFAULT at line 8
++[files] returns ok
expand: %{User-Name} -> user at dsl.realm.co.uk
rlm_sql (sql): sql_set_user escaped user --> 'user at dsl.realm.co.uk'
rlm_sql (sql): Reserving sql socket id: 4
expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'user at dsl.realm.co.uk' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'user at dsl.realm.co.uk'
ORDER BY id
expand: SELECT groupname FROM usergroup WHERE
username = '%{SQL-User-Name}' ORDER BY id -> SELECT groupname
FROM usergroup WHERE username = 'user at dsl.realm.co.uk'
ORDER BY id
rlm_sql_mysql: query: SELECT groupname FROM usergroup
WHERE username = 'user at dsl.realm.co.uk' ORDER BY id
rlm_sql (sql): Released sql socket id: 4
rlm_sql (sql): User user at dsl.realm.co.uk not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
+- entering group pre-proxy
expand:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m
%d -> /usr/local/var/log/radius/radacct/127.0.0.1/pre-proxy-detail-20080212
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m
%d expands to
/usr/local/var/log/radius/radacct/127.0.0.1/pre-proxy-detail-20080212
expand: %t -> Tue Feb 12 13:22:36 2008
++[pre_proxy_log] returns ok
Sending Access-Request of id 222 to 10.0.0.18 port 1645
User-Name = "user at dsl.realm.co.uk"
User-Password = "s3cr3t"
NAS-IP-Address = 127.0.0.1
NAS-Port = 111
Proxy-State = 0x313535
Proxying request 0 to home server 10.0.0.18 port 1645
Sending Access-Request of id 222 to 10.0.0.18 port 1645
User-Name = "user at dsl.realm.co.uk"
User-Password = "s3cr3t"
NAS-IP-Address = 127.0.0.1
NAS-Port = 111
Realm = "dsl.realm.co.uk"
Realm = "dsl.realm.co.uk"
Proxy-State = 0x313535
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Accept packet from host 10.0.0.18 port 1645, id=222,
length=107
Class =
0x5342522d434c20444e3d22323035333632222041543d22323030222055533d22222053493d
22323838312200
Session-Timeout = 0
Framed-IP-Address = 255.255.255.254 << this should match the rule.
Framed-IP-Netmask = 255.255.255.255
Acct-Interim-Interval = 7200
Framed-Protocol = PPP
Service-Type = Framed-User
Proxy-State = 0x313535
+- entering group post-proxy
expand: %{Realm} -> dsl.realm.co.uk
attr_filter: Matched entry DEFAULT at line 103
++[attr_filter.post-proxy] returns updated
++[eap] returns noop
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: Proxy reply, or no User-Name. Ignoring.
++[suffix] returns noop
++[eap] returns noop
users: Matched entry DEFAULT at line 8
++[files] returns ok
expand: %{User-Name} -> user at dsl.realm.co.uk
rlm_sql (sql): sql_set_user escaped user --> 'user at dsl.realm.co.uk'
rlm_sql (sql): Reserving sql socket id: 3
expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'user at dsl.realm.co.uk' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'user at dsl.realm.co.uk'
ORDER BY id
expand: SELECT groupname FROM usergroup WHERE
username = '%{SQL-User-Name}' ORDER BY id -> SELECT groupname
FROM usergroup WHERE username = 'user at dsl.realm.co.uk'
ORDER BY id
rlm_sql_mysql: query: SELECT groupname FROM usergroup
WHERE username = 'user at dsl.realm.co.uk' ORDER BY id
rlm_sql (sql): Released sql socket id: 3
rlm_sql (sql): User user at dsl.realm.co.uk not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [user at dsl.realm.co.uk/s3cr3t] (from client localhost port 111)
+- entering group post-auth
++? if ("%{proxy_reply:Framed-IP-Address}" == "255.255.255.254")
WARNING: Unknown module "proxy_reply" in string expansion
"%{proxy_reply:Framed-IP-Address}"
expand: %{proxy_reply:Framed-IP-Address} ->
? Evaluating ("%{proxy_reply:Framed-IP-Address}" == "255.255.255.254") ->
FALSE
++? if ("%{proxy_reply:Framed-IP-Address}" == "255.255.255.254") -> FALSE
rlm_sql (sql): Processing sql_postauth
expand: %{User-Name} -> user at dsl.realm.co.uk
rlm_sql (sql): sql_set_user escaped user --> 'user at dsl.realm.co.uk'
expand: %{User-Password} -> s3cr3t
expand: INSERT INTO radpostauth (user,
pass, reply, date) VALUES (
'%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth
(user, pass, reply, date) VALUES (
'user at dsl.realm.co.uk', 's3cr3t',
'Access-Accept', '2008-02-12 13:22:36')
expand: /usr/local/var/log/radius/sqltrace.sql ->
/usr/local/var/log/radius/sqltrace.sql
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
(user, pass, reply, date) VALUES (
'user at dsl.realm.co.uk', 's3cr3t',
'Access-Accept', '2008-02-12 13:22:36')
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql_mysql: query: INSERT INTO radpostauth
(user, pass, reply, date) VALUES (
'user at dsl.realm.co.uk', 's3cr3t',
'Access-Accept', '2008-02-12 13:22:36')
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
Sending Access-Accept of id 155 to 127.0.0.1 port 32791
Session-Timeout = 0
Framed-IP-Address = 255.255.255.254
Framed-IP-Netmask = 255.255.255.255
Finished request 0.
-----Original Message-----
From: freeradius-users-bounces+tony=eurisp.co.uk at lists.freeradius.org
[mailto:freeradius-users-bounces+tony=eurisp.co.uk at lists.freeradius.org] On
Behalf Of Alan DeKok
Sent: 12 February 2008 12:41
To: FreeRadius users mailing list
Subject: Re: Different IP Pool per proxied realm
Tony Spencer wrote:
>
> I currently have this in radiusd.conf.
That is NOT the only reference to the "ippool" module. The IP's get
allocated *somewhere* via a reference to the "main_pool" module. You
must have edited the configuration files to do this, because it is *not*
enabled in the default configuration.
> I've tried adding the statement before and inside this but even static
> assigned users get an address from the pool.
Umm... please go read "man unlang". It is a *policy* language for
*processing* packets. It does not apply to module configurations.
See the default configuration files for examples of how to use "if()".
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008
12:21
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008
12:21
More information about the Freeradius-Users
mailing list