redis-ippool and multiple pools

Miguel Berniz mberniz at gibfibre.com
Sun Jan 28 00:00:21 UTC 2024 

Hi,

I am having issues understanding how to pass &control.IP-Pool.Name to the module as I need to use different pools for dynamic assignment and fixed assignment for both fixed ip addresses and fixed subnets. If I just use a string with pool name in the module it works, but that way I understand I am limited to use a single pool.

Relevant config sections are as follows:

-default site
recv Access-Request {
        update control {
        &Password.cleartext := %redis(hget, radcheck:%{User-Name}, Cleartext-Password)
        &IP-Pool.name := %redis(hget, radcheck:%{User-Name}, IP-Pool)
        }

-redis_ippool
redis_ippool {
        #
        #  pool_name:: Name of the pool from which leases are allocated.
        #
        pool_name = &control.IP-Pool.Name

-Example of redis monitor
1706399030.648328 [0 127.0.0.1:50284] "hget" "radcheck:test3" "Cleartext-Password"
1706399030.648554 [0 127.0.0.1:50284] "hget" "radcheck:test3" "IP-Pool"

-Radius log
(8)      Packet-Type = Access-Request
(8)    Running 'recv Access-Request' from file /usr/local/etc/raddb/sites-enabled/default
(8)    recv Access-Request {
(8)      update control {
(8)        | redis
(8)              | %{User-Name}
(8)              | --> test3
(8)          REDIS command arguments
(8)          Reserved connection (0)
(8)          [1] >>> Sending command(s) to 127.0.0.1:6379
(8)          Executing command: hget
(8)          With arguments
(8)            [1] radcheck:test3
(8)            [2] Cleartext-Password
(8)          [1] <<< Returned: success
(8)          Released connection (0)
(8)        | %redis({hget}{radcheck:, test3}{Cleartext-Password})
(8)        | --> test
(8)        | redis
(8)              | %{User-Name}
(8)              | --> test3
(8)          REDIS command arguments
(8)          Reserved connection (0)
(8)          [1] >>> Sending command(s) to 127.0.0.1:6379
(8)          Executing command: hget
(8)          With arguments
(8)            [1] radcheck:test3
(8)            [2] IP-Pool
(8)          [1] <<< Returned: success
(8)          Released connection (0)
(8)        | %redis({hget}{radcheck:, test3}{IP-Pool})
(8)        | --> Dyn_Internet
(8)        &Password.cleartext := "test"
(8)        &IP-Pool.name := "Dyn_Internet"
(8)      } # update control (noop)
(8)      policy filter_username {
(8)        if (&State)  {
(8)          | &State
(8)          | %exists()
(8)          | --> false
(8)          ...
(8)        }
(8)        elsif (&User-Name)  {
(8)          | &User-Name
(8)          | %exists()
(8)          | --> true
(8)          if (&User-Name =~ / /)  {
(8)            | =~
(8)                | &User-Name
(8)                  | &User-Name
(8)                  | --> test3
(8)            | %reg_eq({test3})
(8)            | --> false
(8)            ...
(8)          }
(8)          if (&User-Name =~ /@[^@]*@/ )  {
(8)            | =~
(8)                | &User-Name
(8)                  | &User-Name
(8)                  | --> test3
(8)            | %reg_eq({test3})
(8)            | --> false
(8)            ...
(8)          }
(8)          if (&User-Name =~ /\.\./ )  {
(8)            | =~
(8)                | &User-Name
(8)                  | &User-Name
(8)                  | --> test3
(8)            | %reg_eq({test3})
(8)            | --> false
(8)            ...
(8)          }
(8)          if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)<mailto:/@[%5e.]+(\.%5b%5e.%5d+)+$/)>)   {
(8)            | &&
(8)              | =~
(8)            | %logical_and()
(8)                  | &User-Name
(8)                    | &User-Name
(8)                    | --> test3
(8)              | %reg_eq({test3})
(8)              | --> false
(8)              | %logical_and(...)
(8)            ...
(8)          }
(8)          if (&User-Name =~ /\.$/)   {
(8)            | =~
(8)                | &User-Name
(8)                  | &User-Name
(8)                  | --> test3
(8)            | %reg_eq({test3})
(8)            | --> false
(8)            ...
(8)          }
(8)          if (&User-Name =~ /@\./<mailto:/@\./>)   {
(8)            | =~
(8)                | &User-Name
(8)                  | &User-Name
(8)                  | --> test3
(8)            | %reg_eq({test3})
(8)            | --> false
(8)            ...
(8)          }
(8)          &session-state.Session-State-User-Name := test3
(8)        } # elsif (&User-Name)  (noop)
(8)      } # policy filter_username (noop)
(8)      chap (noop)
(8)      digest (noop)
(8)      pap - Setting &control.Auth-Type = pap
(8)      pap (updated)
(8)    } # recv Access-Request (updated)
(8)    Running 'authenticate pap' from file /usr/local/etc/raddb/sites-enabled/default
(8)    authenticate pap {
(8)      pap - Login attempt with password
(8)      pap - Using "known good" cleartext password Cleartext
(8)      pap - Comparing with "known-good" Cleartext (4)
(8)      pap - User authenticated successfully
(8)      pap (ok)
(8)    } # authenticate pap (ok)
(8)    Running 'send Access-Accept' from file /usr/local/etc/raddb/sites-enabled/default
(8)    send Access-Accept {
(8)      &reply += {
(8)        &Session-State-User-Name = test3
(8)      }
(8)      ERROR: Failed to evaluate required module option pool_name = &control.IP-Pool.Name

What I am missing?

Thanks in advance.
This message is intended only for the use of the individual to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the sender and deleting the original document.

More information about the Freeradius-Users mailing list