dhcp sqlippool reauthenticate users every minute

Ethan Hayon ehayon at gmail.com
Fri Jan 11 21:50:33 CET 2013

Hi, I'm trying to set up FreeRADIUS 2.2 to act as an authentication and accounting system as well as a DHCP server. (I'm relaying DHCP requests from a pfSense box).

I am trying to use sqlippools on FreeRADIUS, but I have noticed that my ippools are filling up quickly (I am only testing with two devices). I have pfSense configured to reauthenticate user every minute, so I believe that FreeRADIUS is running post-auth dhcp leasing each time the user is reauthenticated. FreeRADIUS is serving the same client a new IP address each minute. 

I have adjusted my policy conf to the below. I may be approaching this the wrong way, but this is essentially what I am trying to do:

I want to have multiple pools on different subnets. When a new client connects to the network (they don't yet have a radius account) they are sent to a default (pending) pool. This may be on the 192.168.1/24 subnet. After they have set up their account and have been added to the RADIUS database, they will be given a pool-name, maybe `pool2`. `pool2` will be on a different subnet, for example, 192168.2/24. The pfsense box knows how to route these subnets, so that is not a problem. I only want clients to receive a different IP address if their pool-name changes for whatever reason, if there are no changes to their account, they shouldn't be leased a new IP every time they reauthenticate (every minute).

Eventually I will disable the reauthenticate every minute feature as the production system would not be able to handle this many requests. 

Am I approaching this problem correctly? I have written some un-lang in the policy.conf file for handling some of this. I am getting hung up on this problem. The pool is getting exhausted in minutes since each client is leased a new ip every minute.

Any help is appreciated!

dhcp_sqlippool.post-auth {
		#  Do some minor hacks to the request so that it looks
		#  like a RADIUS request to the SQL IP Pool module.

		# check whether the requester is a user or not, if they do not have a pool-name, send them to pfpriv by default
		if("%{sql: SELECT COUNT(*) FROM radcheck where username='%{DHCP-Client-Hardware-Address}' AND attribute='Pool-Name'}" != "0") {
			update control {
				Pool-Name := "%{sql: SELECT `value` FROM radcheck WHERE username = '%{DHCP-Client-Hardware-Address}' AND attribute='Pool-Name'}"
		else {
			update control {
				Pool-Name := "pfpriv" # default pool if the user doesn't have an account

		update reply {
			DHCP-Domain-Name-Server = "" # we will ultimately create a mysql table `radpoolinfo` to store per-pool attributes
			DHCP-Router-Address = "" # this will also be in `radpoolinfo` eventually
		 update request {
		 	User-Name = "DHCP-%{DHCP-Client-Hardware-Address}"
		 	Calling-Station-Id = "%{DHCP-Client-Hardware-Address}"
		 	NAS-IP-Address = "%{%{DHCP-Gateway-IP-Address}:-}"
		 	Acct-Status-Type = Start

		#  Call the actual module
		#  Uncomment this in order to really call it!

		#  Convert Framed-IP-Address to DHCP, but only if we
		#  actually allocated an address.
		if (ok) {
			update reply {
				DHCP-Your-IP-Address = "%{reply:Framed-IP-Address}"

More information about the Freeradius-Users mailing list