dhcp sqlippool reauthenticate users every minute

Ethan Hayon ehayon at gmail.com
Sat Jan 12 04:36:36 CET 2013


On Jan 11, 2013, at 6:38 PM, Alan DeKok <aland at deployingradius.com> wrote:

Hi Alan, Thanks for the response

> Ethan Hayon wrote:
>> When I run the server in debug mode the Acct-Unique-Session-ID remains
>> the same across the interim accounting updates. However,
>> re-authentications don't seem to have a unique key associated with them. 
> 
>  That makes no sense.  There is *nothing* unique to each user you can
> key off of?  Name?  MAC address?

Yes, MAC address is unique for each user. The MAC should be a unique identifier when assigning IP's.

> 
>> In my post-auth policy, I am updating control with the proper pool-name
>> (with an unlang), changing some other reply attributes, then calling
>> dhcp_sqlippool. What I am doing doesn't /feel/ right. I am very new to
>> this, does this sound like the proper way of handling the serving of
>> ip's on multiple subnets. DHCP-Domain-Name-Server and
>> DHCP-Router-Address will change between pools. 
> 
>  Get one thing working first.  Only then look at the next thing.
Good point

> 
>> I guess I'm asking if I am approaching this correctly: Using unlang in
>> policy.conf to handle these rules. 
> 
>  unlang is for policy rules.  Databases are for data.  You've got some
> kind of mixup between the two.

Sorry for the misunderstanding. I understand this. I'm just making sure it is normal to use unlang in the policy.conf to perform sql queries and use the results to build up a response. Again, I need to get this working before worrying about that.

> 
>> Sorry to put such a long debug message in here. I pulled out one
>> authorization request, but they all look the same. It looks like 
> 
>  They don't all look the same.  They contain different information for
> each user.  How else does the server tell users apart?

I am only using one device right now, so the auth requests look the same, hence why I only included one below. The auth requests will look different if i introduce more devices into the system.

> 
>> This is what my authorization looks like:
>> 
>> The request comes in with a framed ip of 192.168.0.43, but it tries to
>> serve it 192.168.0.50.
> 
>  The default queries use Calling-Station-Id to track IP addresses.
> They *also* assume that the NAS sends accounting packets, so that each
> user has an accounting entry in SQL.
> 
>> It reallocates a new IP for each auth every minute.
> 
>  Probably because the NAS isn't sending accounting data.  So the IP is
> never tracked in SQL.
> 
>  So... did you look in the SQL database to see what's there?  Is it
> tracking the IP?  Does the user have an accounting record?

Yes, the NAS is sending accounting data. This is what redacct looks like (some columns omitted)

+-----------+------------------+------------------+-------------------+---------------+-------------------+-----------------+-----------------+
| radacctid | acctsessionid    | acctuniqueid     | username          | nasipaddress  | callingstationid  | calledstationid | framedipaddress |
+-----------+------------------+------------------+-------------------+---------------+-------------------+-----------------+-----------------+
|        17 | 9e90e1a3b02da713 | 068649e121f096f2 | b8:8d:12:10:8d:f6 | 98.109.201.89 | b8:8d:12:10:8d:f6 | 98.109.201.89   | 192.168.0.40    |
|        18 | 61ebc2f61333e8d4 | 857f2f856c1ea384 | b8:8d:12:10:8d:f6 | 98.109.201.89 | b8:8d:12:10:8d:f6 | 98.109.201.89   | 192.168.0.43    |
|        19 | a8aed7c0d9ce3bd1 | 541ef5a9672cc6e7 | b8:8d:12:10:8d:f6 | 98.109.201.89 | b8:8d:12:10:8d:f6 | 98.109.201.89   | 192.168.0.43    |
|        20 | 5bd18f3ccb1edf8a | e3c55f048d9a680b | b8:8d:12:10:8d:f6 | 98.109.201.89 | b8:8d:12:10:8d:f6 | 98.109.201.89   | 192.168.0.43    |
|        21 | 72ad87c6b43a08b4 | e427b47f54737c4f | b8:8d:12:10:8d:f6 | 98.109.201.89 | b8:8d:12:10:8d:f6 | 98.109.201.89   | 192.168.0.43    |
|        22 | bff889e83c3b469b | 70ec2fe5fa197bcc | b8:8d:12:10:8d:f6 | 98.109.201.89 | b8:8d:12:10:8d:f6 | 98.109.201.89   | 192.168.0.43    |
+-----------+------------------+------------------+-------------------+---------------+-------------------+-----------------+-----------------+

So there is an accounting record for each user and each user session.

Right now, I'm thinking there is a mismatch either in the nasipaddress or some other attribute. The NAS has a WAN ip of 98.109.201.89 and a LAN IP of 192.168.1.1. The RADIUS server is on LAN at 192.168.1.2. I have noticed that sometimes the nasipaddress appears as 192.168.1.1 and other times as 98.109.201.89. I think I am going to start with a fresh install of freeradius. I messed with too many queries (such as adjusting the Pool-Key) and I am worried that I have created a mess. 

Ethan Hayon

> 
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list