rlm_sqlippool allocating duplicate IPs
Phil Mayers
p.mayers at imperial.ac.uk
Wed Dec 2 15:23:17 CET 2009
Phil Mayers wrote:
> Phil Mayers wrote:
>> All,
>>
>> I've just become aware of a rather annoying problem with our PPTP VPN
>> server. Sometimes, a client will connect, disconnect and reconnect in
>> quick succession. In these circumstances, there seems to be a window
>> which an IP can remain allocated to a live VPN session, but is marked as
>> free in the SQL table, causing subsequent clients to connect, be
>> allocated the IP, and fail to get any connectivity.
>
> ACK!
>
> Shortly after sending this email, we found the problem and it's truly
> vile. It's nothing to do with FreeRadius at all, except tangentially -
> what's actually happening is that the PPTP client is closing the PPP LCP
> layer and re-opening it on the same PPTP control/data channel.
>
> This results in a very rapid set of:
Ugh. Even worse, it doesn't actually re-authenticate the user; it
actually just tears down the IPCP layer, and then brings it back up
again USING THE SAME IP. Of course, since the "stop-clear" query has run
at that point and re-set the pool_key column to "0", so the 2nd
accounting start doesn't re-allocate the IP.
That is, it does:
access-request
allocate-ip
update pool set nas=%{NAS},pool_key=${pool-key} where ip=%I
accounting-start
update pool set expires=now()+x where nas=%{NAS} and
pool_key=${pool-key}
accounting-stop
update pool set expires=now()-1,pool_key=0 where nas=%{NAS} and
pool_key=${pool-key}
accounting-start
update pool set expires=now()+x where nas=%{NAS} and
pool_key=${pool-key}
FAILS because pool_key=0 now
Bah. Bah bah bah.
More information about the Freeradius-Users
mailing list