redis-ippool and multiple pools

Miguel Berniz mberniz at gibfibre.com
Sun Jan 28 19:00:43 UTC 2024


Hi Nick,

Thanks for the update.

>       The concept with IP pools is that you use some policy to set the IP pool
>       name based on attributes seen in the incoming request - so yes, for a
>       given request you typically only use a single pool.

>>          update control {
>>          &Password.cleartext := %redis(hget, radcheck:%{User-Name}, Cleartext-Password)
>>          &IP-Pool.name := %redis(hget, radcheck:%{User-Name}, IP-Pool)
>>          }

>       So you are setting the pool name based on some data you have stored in
>       redis keyed off the user name.

That’s correct, the only variable that discriminates the intended pool for the user is the username. So here is how it looks like in Redis:

127.0.0.1:6379> hgetall "radcheck:test3"
1) "Cleartext-Password"
2) "test"
3) "op"
4) ":="
5) "IP-Pool"
6) "Dyn_Internet"

>       What is it that you actually want to do which this won't allow you to do?

Well, that is what I am asking. On an Access request type packet, the update control function is executed (I have triggered that in both “recv Access-Request” and “send Access-Accept” sections) and I can see the dynamic expansion working as expected in debug log:

Ready to process requests
proto_radius_udp - Received Access-Request ID 250 length 222 radius_udp server * port 1812
Worker - Resetting cleanup timer to +30
(0)  default {
(0)    Received Access-Request ID 250 from 10.0.96.123:40545 to 10.0.96.2:1812 via eth0
.
(0)    Running 'recv Access-Request' from file /usr/local/etc/raddb/sites-enabled/default
(0)    recv Access-Request {
(0)      update control {
(0)        | redis
(0)              | %{User-Name}
(0)              | --> test1
(0)          REDIS command arguments
(0)          Reserved connection (0)
(0)          [1] >>> Sending command(s) to 127.0.0.1:6379
(0)          Executing command: hget
(0)          With arguments
(0)            [1] radcheck:test1
(0)            [2] Cleartext-Password
(0)          [1] <<< Returned: success
(0)          Released connection (0)
(0)        | %redis({hget}{radcheck:, test1}{Cleartext-Password})
(0)        | --> test
(0)        | redis
(0)              | %{User-Name}
(0)              | --> test1
(0)          REDIS command arguments
(0)          Reserved connection (0)
(0)          [1] >>> Sending command(s) to 127.0.0.1:6379
(0)          Executing command: hget
(0)          With arguments
(0)            [1] radcheck:test1
(0)            [2] IP-Pool
(0)          [1] <<< Returned: success
(0)          Released connection (0)
(0)        | %redis({hget}{radcheck:, test1}{IP-Pool})
(0)        | --> Dyn_Internet
(0)        &Password.cleartext := "test"
(0)        &control.IP-Pool.Name := "Dyn_Internet"
(0)      } # update control (noop)
.
(0)    } # authenticate pap (ok)
(0)    Running 'send Access-Accept' from file /usr/local/etc/raddb/sites-enabled/default
(0)    send Access-Accept {
(0)      &reply += {
(0)        &Session-State-User-Name = test1
(0)      }
(0)      update control {
(0)        | redis
(0)              | %{User-Name}
(0)              | --> test1
(0)          REDIS command arguments
(0)          Reserved connection (0)
(0)          [1] >>> Sending command(s) to 127.0.0.1:6379
(0)          Executing command: hget
(0)          With arguments
(0)            [1] radcheck:test1
(0)            [2] IP-Pool.Name
(0)          [1] <<< Returned: success
(0)          Released connection (0)
>>>(0)        | %redis({hget}{radcheck:, test1}{IP-Pool.Name})
>>>(0)        | --> Dyn_Internet
>>>(0)        &control.IP-Pool.Name := "Dyn_Internet"
(0)      } # update control (noop)
Issue is this >>>(0)      ERROR: Failed to evaluate required module option pool_name = &control.IP-Pool.Name
(0)    } # send Access-Accept (fail)
(0)    default (ok)
(0)  } # default (ok)
(0)  Done request

Kindest regards,

Miguel
This message is intended only for the use of the individual to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the sender and deleting the original document.


More information about the Freeradius-Users mailing list