Free Radius configuration problem with 28 NASs
searthrowl at eseye.com
Wed Feb 18 12:05:01 CET 2009
Sorry should have given this email a title...
Simon Earthrowl wrote:
> I am trying to configure free radius to work with our 28 NASs.
> These NASs are split into two groups, at different locations (equal
> split 14-14).
> ll NASs report NAS-IP-Address correctly (ie uniquely)
> Any device requesting authentication randomly connects to any one of
> the 28 NASs.
> All devices are unique, and Calling-Station-ID is used to uniquely
> identify every device. There is no possible chance of multiple
> instances connecting
> Some devices *may* require require PAP/CHAP -- the default being
> ignore User-Name etc. This is configured on a device by device basis.
> Devices may require an alternative configuration using Called-Station-ID
> Furthermore, I wish to use MySQL, so that I can add new provisioned
> devices auto-magically, without needing to tell the radius server.
> I've a freshly compiled version 2.1.3, running on CentOS 5.3 -- That
> was by far the easiest bit! Many thanks for that.
> *Now the problem....*
> Each set of NASs requires a different Framed-IP-Address pool eg
> 10.0.0.0/24 for site1, and 10.8.0.0/24 for site2 with
> Called-Station-Id = domain.com, and 192.168.110.0/26 for site1, and
> 192.168.110.128/26 for site2 with Called-Station-Id = domain.co.uk
> I'm using sqlippool to supply the IP.
> *What I've tried.....*
> Pool-name : I've set this in huntgroups, hints, clients.conf with no
> success whatsoever.
> Pool-Name: In netgroups -- performace was too slow, as I need 28
> groups per device!
> Virtual-Servers: I just don't get these. The README suggests I don't
> need a listen clause, the debug output suggests I do. I'm concerned
> that if I go down this route, I'll end up with slow responses again
> *Where I've got to:*
> I'm using radcheck table with the Sql-Name set to Calling-Station-ID,
> with Auth-Type := Accept (for the default case), and adding User-Name
> & password checking for specific PAP/CHAP authentication.
> *What I need please*
> Easiest: A fix, so I can set Pool-Name in clients.conf, or hints, that
> works in sqlippool.
> Intermediate: Another strategy that will scale (not 28 groups per device)
> Advanced: A far better understanding of where, and how, I can use
> unlang, and be able to calculate Pool-Name within a context such that
> sqlippool will corectly allocate an IP address.
> Many thanks in anticipation for help/suggestions being offered
> kind regards
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Freeradius-Users