Freeradius Proxy - Framed IP Address Accounting attribute
Byron Jeffery
byronjeffery at cem.org.au
Wed Aug 2 01:18:06 CEST 2017
Thanks Alan
Unfortunately the NAS does not include the Framed IP Address in its
accounting packet which is what we require to enable automatic login to our
content filter through wifi.
I am pretty sure I am missing parts of the puzzle and am more than likely
confusing myself.
As our NAS does not include the framed IP address in its accounting packet,
I was of the mindset to build a trial system that uses the FreeRadius
server with the included DHCP and Radius authentication services.
For the DHCP there are two VLAN subnets with the Radius authentication
against a users file and returning the VLAN ID. This all works well as
expected where the user authenticates successfully and the DHCP server
returns an IP address from the correct IP Pool.
I guess the missing puzzle piece for me is at which point does the client
device obtain their IP address from the DHCP server, during post-auth or
after post-auth? If it is after post-auth, then I am correct in saying
that there would be no purpose in querying the FreeRadius DHCP IP pool
database as the IP Address would not have been assigned by then?
- Kind Regards
- Byron Jeffery
-
On Wed, Aug 2, 2017 at 5:34 AM, Alan DeKok <aland at deployingradius.com>
wrote:
> On Aug 1, 2017, at 8:21 AM, Byron Jeffery <byronjeffery at cem.org.au> wrote:
> >
> > I currently have a test FreeRadius server setup for authentication (local
> > user file) and DHCP which is working as intended, however, I am trying
> to
> > implement a solution whereby the Framed IP Address attribute and username
> > is sent to an accounting server at some point during or after the
> > authentication process.
>
> The NAS is responsible for sending accounting packets. If you want
> something in the accounting packets, see the NAS documentation.
>
> > My understanding is that after the user successfully authenticates, the
> > client device then proceeds to obtain an IP address from the DHCP,
>
> Yes. And the DHCP address assignment has pretty much nothing to do with
> RADIUS.
>
> > however,
> > am I correct in saying that if I wish to obtain the Framed IP Address, I
> > will not be able to obtain this after the authentication (ie: post-auth).
>
> post-auth runs before the Access-Accept is sent back.
>
> If the IP is assigned via DHCP, it won't be available in post-auth.
>
> > If so, am I able to make a call to the dhcp_sqlippool to get an IP during
> > the post-auth process or is there a better alternative method to do this?
>
> You can call dhcp_sqlippool, but it won't do what you want.
>
> I think you're missing parts of the puzzle. For one, you're not
> explaining everything that's going on in your system. Is DHCP being
> assigned via RADIUS?
>
> What you *can* do is assign Framed-IP-Address in post-auth. Then, if
> you're using FreeRADIUS for DHCP, you can have it query the IP pool based
> on MAC to find the same IP.
>
> But that requires understanding how the pieces work together. There is
> no default configuration which just works here.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
More information about the Freeradius-Users
mailing list