Freeradius Proxy - Framed IP Address Accounting attribute

Byron Jeffery byronjeffery at cem.org.au
Thu Aug 3 13:08:11 CEST 2017 

Thanks Matthew for confirming the process.

I had managed to figure out exactly as you had mentioned whereby I would be
getting the IP address during post-auth, thank you for the confirmation.
I looked at the vlan id and then based on that set the pool and then called
dhcp_sqlippool.  I figured that this was the best way to get an IP address
for the client based on the calling-station-id so that I could then have an
IP address for accounting start.  This also meant that the client would be
served the same IP address based on its mac address once it had the access
accept and hit up the DHCP server for an IP address.  In my testing, this
works well.

When you mentioned accounting-start, I could not find any reference to it
other than assume you are referring to the accounting section the the
sites-enabled/default config.  My other thought from research is to use the
copy-acct-to-home-server, would that be correct, or am I wrong?

Fixing the NAS relies on the vendor, which we have been advised that are
working on it.  However, I was of the mindset of building an interim
solution until they release the fix.

Thank you once again for you assistance.


   - Kind Regards

   - Byron Jeffery
   -


On Wed, Aug 2, 2017 at 6:33 PM, Matthew Newton <mcn at freeradius.org> wrote:

> On Wed, 2017-08-02 at 09:18 +1000, Byron Jeffery wrote:
> > I guess the missing puzzle piece for me is at which point does the
> > client
> > device obtain their IP address from the DHCP server, during post-auth
> > or
> > after post-auth?  If it is after post-auth, then I am correct in
> > saying
> > that there would be no purpose in querying the FreeRadius DHCP IP
> > pool
> > database as the IP Address would not have been assigned by then?
>
> Generally speaking the order is - Authentication happens first, to
> permit the device access to the network. Then the Accounting-Start as
> the new session is created. Then DHCP as the device tries to get an
> address. Finally you might get an Accounting Interim-Update with the
> new DHCP-assigned IP address for the session in it.
>
> So to do what you want to do you probably need to assign the IP address
> for the device in post-auth (at the end of authentication) keyed off
> the Calling-Station-ID, which is hopefully the device MAC address. You
> could send that back as Framed-IP-Address if you really want, but it
> sounds like the NAS won't care anyway.
>
> Then on Accounting-Start you can key off Calling-Station-ID to pull
> that IP address out of the database and create your own Framed-IP-
> Address, should you need it at this stage.
>
> Then in DHCP rather than assigning an IP address you should again just
> look it up in the database (again, Calling-Station-ID should be the MAC
> address) and send that back to the client. If there's nothing in the
> database then just refuse to send anything back, as the client hasn't
> been through authentication properly. And be careful around DHCP
> renewals and when IPs expire from the database for a particular device.
>
> As a start you should look at moving the IP address assignment from the
> DHCP authorize config into the RADIUS post-auth section, and then tweak
> from there.
>
> Or fix/replace the NAS so it correctly reports the device's IP address,
> which would probably be a lot simpler...
>
> --
> Matthew
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>

More information about the Freeradius-Users mailing list