dhcp sqlippool reauthenticate users every minute

Ethan Hayon ehayon at gmail.com
Sat Jan 12 04:36:36 CET 2013

On Jan 11, 2013, at 6:38 PM, Alan DeKok <aland at deployingradius.com> wrote:

Hi Alan, Thanks for the response

> Ethan Hayon wrote:
>> When I run the server in debug mode the Acct-Unique-Session-ID remains
>> the same across the interim accounting updates. However,
>> re-authentications don't seem to have a unique key associated with them. 
>  That makes no sense.  There is *nothing* unique to each user you can
> key off of?  Name?  MAC address?

Yes, MAC address is unique for each user. The MAC should be a unique identifier when assigning IP's.

>> In my post-auth policy, I am updating control with the proper pool-name
>> (with an unlang), changing some other reply attributes, then calling
>> dhcp_sqlippool. What I am doing doesn't /feel/ right. I am very new to
>> this, does this sound like the proper way of handling the serving of
>> ip's on multiple subnets. DHCP-Domain-Name-Server and
>> DHCP-Router-Address will change between pools. 
>  Get one thing working first.  Only then look at the next thing.
Good point

>> I guess I'm asking if I am approaching this correctly: Using unlang in
>> policy.conf to handle these rules. 
>  unlang is for policy rules.  Databases are for data.  You've got some
> kind of mixup between the two.

Sorry for the misunderstanding. I understand this. I'm just making sure it is normal to use unlang in the policy.conf to perform sql queries and use the results to build up a response. Again, I need to get this working before worrying about that.

>> Sorry to put such a long debug message in here. I pulled out one
>> authorization request, but they all look the same. It looks like 
>  They don't all look the same.  They contain different information for
> each user.  How else does the server tell users apart?

I am only using one device right now, so the auth requests look the same, hence why I only included one below. The auth requests will look different if i introduce more devices into the system.

>> This is what my authorization looks like:
>> The request comes in with a framed ip of, but it tries to
>> serve it
>  The default queries use Calling-Station-Id to track IP addresses.
> They *also* assume that the NAS sends accounting packets, so that each
> user has an accounting entry in SQL.
>> It reallocates a new IP for each auth every minute.
>  Probably because the NAS isn't sending accounting data.  So the IP is
> never tracked in SQL.
>  So... did you look in the SQL database to see what's there?  Is it
> tracking the IP?  Does the user have an accounting record?

Yes, the NAS is sending accounting data. This is what redacct looks like (some columns omitted)

| radacctid | acctsessionid    | acctuniqueid     | username          | nasipaddress  | callingstationid  | calledstationid | framedipaddress |
|        17 | 9e90e1a3b02da713 | 068649e121f096f2 | b8:8d:12:10:8d:f6 | | b8:8d:12:10:8d:f6 |   |    |
|        18 | 61ebc2f61333e8d4 | 857f2f856c1ea384 | b8:8d:12:10:8d:f6 | | b8:8d:12:10:8d:f6 |   |    |
|        19 | a8aed7c0d9ce3bd1 | 541ef5a9672cc6e7 | b8:8d:12:10:8d:f6 | | b8:8d:12:10:8d:f6 |   |    |
|        20 | 5bd18f3ccb1edf8a | e3c55f048d9a680b | b8:8d:12:10:8d:f6 | | b8:8d:12:10:8d:f6 |   |    |
|        21 | 72ad87c6b43a08b4 | e427b47f54737c4f | b8:8d:12:10:8d:f6 | | b8:8d:12:10:8d:f6 |   |    |
|        22 | bff889e83c3b469b | 70ec2fe5fa197bcc | b8:8d:12:10:8d:f6 | | b8:8d:12:10:8d:f6 |   |    |

So there is an accounting record for each user and each user session.

Right now, I'm thinking there is a mismatch either in the nasipaddress or some other attribute. The NAS has a WAN ip of and a LAN IP of The RADIUS server is on LAN at I have noticed that sometimes the nasipaddress appears as and other times as I think I am going to start with a fresh install of freeradius. I messed with too many queries (such as adjusting the Pool-Key) and I am worried that I have created a mess. 

Ethan Hayon

>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list