Freeradius Proxy - Framed IP Address Accounting attribute

Byron Jeffery byronjeffery at cem.org.au
Mon Aug 28 11:27:43 CEST 2017 

Hi all

I would like to thank you for all your assistance with my build of a
Freeradius DHCP server using a SQL IPPOOL database.  My test environment is
running well and has been a perfect solution for including the
Framed-IP-Address in the proxied accounting packet for our wifi
infrastructure.
I do have one question though regarding static IP addresses.  I am a little
confused on the best practice regarding setting up clients as to whether it
is best to set them up in mac2ip file or entering them into a sql
database.  If I enter them into the sql database the lease period is set
when the client successfully gets an IP address, however, how do I define a
indefinite lease without it being overwritten?



   - Kind Regards

   - Byron Jeffery
   - ICT Helpdesk Coordinator

------------------------------

   - Phone:0243636107
   - Mobile:043 230 7030
   - Fax:(07) 3889 7245
   - Office:Suite 304, 200 The Central Coast Hwy, Erina NSW 2250
   - Postal:PO Box 3101, Caboolture BC QLD 4510


------------------------------

The content of this message is provided without responsibility in law for
their accuracy or otherwise, and without assumption of a duty of care by
Australian Christian College. Whilst every attempt has been made to ensure
that material contained in this email is free from computer viruses or
other defects, the attached files are provided, and may only be used, on
the basis that the user assumes all responsibility for use of the material
transmitted. This email is intended only for the use of the individual or
entity names above and may contain information that is confidential and
privileged. If you are not the intended recipient, please note that any
dissemination, distribution or copying of this email is strictly
prohibited. If you have received this email in error, please notify us
immediately by return email and destroy the original message.

On Thu, Aug 3, 2017 at 9:08 PM, Byron Jeffery <byronjeffery at cem.org.au>
wrote:

> Thanks Matthew for confirming the process.
>
> I had managed to figure out exactly as you had mentioned whereby I would
> be getting the IP address during post-auth, thank you for the confirmation.
>
> I looked at the vlan id and then based on that set the pool and then
> called dhcp_sqlippool.  I figured that this was the best way to get an IP
> address for the client based on the calling-station-id so that I could then
> have an IP address for accounting start.  This also meant that the client
> would be served the same IP address based on its mac address once it had
> the access accept and hit up the DHCP server for an IP address.  In my
> testing, this works well.
>
> When you mentioned accounting-start, I could not find any reference to it
> other than assume you are referring to the accounting section the the
> sites-enabled/default config.  My other thought from research is to use the
> copy-acct-to-home-server, would that be correct, or am I wrong?
>
> Fixing the NAS relies on the vendor, which we have been advised that are
> working on it.  However, I was of the mindset of building an interim
> solution until they release the fix.
>
> Thank you once again for you assistance.
>
>
>    - Kind Regards
>
>    - Byron Jeffery
>    -
>
>
> On Wed, Aug 2, 2017 at 6:33 PM, Matthew Newton <mcn at freeradius.org> wrote:
>
>> On Wed, 2017-08-02 at 09:18 +1000, Byron Jeffery wrote:
>> > I guess the missing puzzle piece for me is at which point does the
>> > client
>> > device obtain their IP address from the DHCP server, during post-auth
>> > or
>> > after post-auth?  If it is after post-auth, then I am correct in
>> > saying
>> > that there would be no purpose in querying the FreeRadius DHCP IP
>> > pool
>> > database as the IP Address would not have been assigned by then?
>>
>> Generally speaking the order is - Authentication happens first, to
>> permit the device access to the network. Then the Accounting-Start as
>> the new session is created. Then DHCP as the device tries to get an
>> address. Finally you might get an Accounting Interim-Update with the
>> new DHCP-assigned IP address for the session in it.
>>
>> So to do what you want to do you probably need to assign the IP address
>> for the device in post-auth (at the end of authentication) keyed off
>> the Calling-Station-ID, which is hopefully the device MAC address. You
>> could send that back as Framed-IP-Address if you really want, but it
>> sounds like the NAS won't care anyway.
>>
>> Then on Accounting-Start you can key off Calling-Station-ID to pull
>> that IP address out of the database and create your own Framed-IP-
>> Address, should you need it at this stage.
>>
>> Then in DHCP rather than assigning an IP address you should again just
>> look it up in the database (again, Calling-Station-ID should be the MAC
>> address) and send that back to the client. If there's nothing in the
>> database then just refuse to send anything back, as the client hasn't
>> been through authentication properly. And be careful around DHCP
>> renewals and when IPs expire from the database for a particular device.
>>
>> As a start you should look at moving the IP address assignment from the
>> DHCP authorize config into the RADIUS post-auth section, and then tweak
>> from there.
>>
>> Or fix/replace the NAS so it correctly reports the device's IP address,
>> which would probably be a lot simpler...
>>
>> --
>> Matthew
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>> /users.html
>>
>
>

More information about the Freeradius-Users mailing list