Arran Cudbard-Bell a.cudbardb at freeradius.org
Tue Mar 25 14:36:47 CET 2014

On 24 Mar 2014, at 15:12, Bruce Richardson <bruce_m_richardson at unitedbiscuits.com> wrote:

> Hi,
> I have been using freeradius for many years now to authenticate WiFi users against active directory, and it all works perfectly. 
> I am now trying to integrate it with the identity awareness built into our Checkpoint firewall system, this is able to take radius authentication packets and build a list of users against IP addresses. 
> I understand that you can replicate the accounting data on from freeradius but for this to work obviously the WiFi client's IP address needs to be in the radius accounting data. At the moment it isn't because at the point when the accounting data is sent the client has not yet sent its DHCP request. 
> Am I correct that to get the IP address into the radius accounting the freeradius server needs to be configured to send out the IP addresses rather than different DHCP server. 
> If this is correct, could I create different IP pools to be used for each site, and have the correct IP data sent out for for different sets of wifi access points (NAS).
> Many thanks for reading this, I just want know I am going in the correct direction. 

Usually this is a feature of the NAS which snoops the DHCP conversation between the client and the DHCP server, and adds it to Accounting-Requests (as the Framed-IP-Address)

The only way I can really think of doing this, is to proxy accounting data through a server which has access to the lease database, which augments the Accounting-Requests with the current lease info.

You could use Calling-Station-ID and the DHCP-Client-Hardware-Address to do the matching.

It's open to various forms of subversion though... But no worse than DHCP-Snooping.

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/mailman/private/freeradius-users/attachments/20140325/419b0de3/attachment.pgp>

More information about the Freeradius-Users mailing list