Multiple ippools and assigning them depending on realms
Alan DeKok
aland at deployingradius.com
Wed Jul 20 18:52:23 CEST 2016
On Jul 20, 2016, at 2:11 PM, Uwe Freier <uwe at freier.de> wrote:
> basically I got my freeradius (v 2.1.10, Ubuntu 14.04) working through the documentation but I reached a point where I don't know how to continue and therefore dare to ask for help here.
> The radius does actually authentication of dial-in users and accounts their traffic. Some users have a static IP as a reply attribute, the others get dynamic IP addresses directly from the MX104
> and this works without problems so far. Now the IP assignment should be switched to the radius and the IP addresses shall be assigned depending on the users' realms. The recent users with static IP addresses shall keep them, I hope to reach this with "override = no" in the ippool settings.
OK.
> Therefore I set up 3 ippools (for 3 realms) as described in "Custom configuration" of the docs (-> modules/Rlm_ippool) but I'm not sure about the settings in ./sites-available/default concerning multiple ippools:
Read the IPPool example. The ippool module manages IPs in pools. It can deal with multiple pools simultaneously. Just set the Pool-Name attribute.
> Should all 3 ippools be listed here?
No. You just need one "ippool" module.
> and in the same file:
>
> ###
> post-auth {
> # Get an address from the IP Pool.
> # main_pool
That is where IPs are assigned.
> This I don't really understand - is this an alternative to assigning ip addresses via ./users
It runs the "ippool" module, which assigns IP address.
> or is this a switch to enable the pool(s) generally? Should I list all ippools here?
See above.
> Because the 3 ippools shall be assigned to users depending on 3 realms, so my ./users at the end looks like:
>
> DEFAULT Framed-Protocol == PPP
> Framed-Protocol = PPP,
> Framed-Compression = Van-Jacobson-TCP-IP,
> Framed-IP-Address = 255.255.255.254,
> Fall-Through = Yes
>
> [...]
>
> DEFAULT Realm == "realm1", Pool-Name:= ippool1
> DEFAULT Realm == "realm2", Pool-Name:= ippool2
> DEFAULT Realm == "realm3", Pool-Name:= ippool3
>
> Is this a viable option?
Yes. Not that it does NOT run the "ippool" module. It just tells the ippool module what to do.
And you'll also need to put that into the "acct_users" file.
> I'm a bit confused because In "guide/Ippool and radius clients" there is an example where an ippool is assigned but no Framed-IP-Address:
Because the "ippool" module assigns the Framed-IP-Address. You tell it to use a pool, and it does various DB magic to select an address from that pool.
> Isn't the setting "Framed-IP-Address = 255.255.255.254" necessary,
It's not necessary. Delete it.
Alan DeKok.
More information about the Freeradius-Users
mailing list