mad wrote:
Hello,
I have a freeradius server, I use an eap/ttls authentication with 802.1x and ldap. I want to save the username, the ip adress, the MAC address, the start time and the stop time of the connection with the accounting function (with mysql). I have a problem with the ip address ... because it's dhcpd who give an ip address at the client, so freeradius can't have this information.

Correct


I have try ippool in freeradius (freeradius want to give an ip address but the client don't receive). Also I have read that it's impossible to use ippool with eap and when there are access point and/or swith between client and server ... it's true ?

I'm afraid so. EAP happens before IPs are assigned, and doesn't interact with DHCP.


I have also try other solutions (with syslog-ng who get the ip address in the log and insert in acct table ..., a scripts with omshell who permit to freeradius to indicate at dhcpd what ip address give at this client ...) BUT I think this solution are very unstable ...

The omshell one is a clever idea. But you're right, it's not very stable.

I think for the moment processing the DHCP logs or lease database and adding it to the radius accouting table will be needed.

The other way would be to get a list of IP->mac (either by processing the logs or "snmpwalk ipnettomedia" of the router) and dump them to a file, then use the "hints" and an "exec" module to insert the IP into the accounting requests. Obviously the accounting-start will happen before you have that info, but the interim and accounting-stop should be ok. So, something like this in "hints":

DEFAULT
        Framed-IP-Address = `{exec:lookup_ip}`

and in radiusd.conf:

modules {
  exec lookup_ip {
    wait = yes
    program = "/usr/local/bin/lookup_ip"
    input_pairs = request
  }
}

If you have access to the DHCP servers leases database (assuming ISC dhcpd) then the following would work as a script (or something like it - this is untested):

#!/bin/sh

BUF=`mktemp`
if [ $? -ne 0 ]
then
        exit 1
fi
trap "rm -f $BUF" EXIT

# Radius attributes are in environment variables
# Calling-Station-Id is...
MAC="$CALLING_STATION_ID"
if [ -z "$MAC" ]
then
        exit 1
fi

DHCP_LEASES=/var/lib/dhcp/dhcpd.leases

awk -v MAC=$MAC '
/^#/ { next; }
/^lease / { our_lease=0; ip=$2; next; }
/^}/ {
    if (our_lease) {
        if (state!="active")
            del leases[ip];
        else
            leases[ip] = mac;
    }
    ip = "";
    our_lease = 0;
    next;
}
{
    if (!ip)
        next;
    if ($1=="binding" && $2=="state") {
        state = $3;
        gsub(/;/,"",state);
    } else if ($1=="hardware" && $2=="ethernet") {
        mac = $3;
        gsub(/;/,"",mac);
        if (mac==MAC) {
            our_lease = 1;
        }
    }
}
END {
    for (ip in leases) {
        print ip, mac;
    }
}' $DHCP_LEASES >$BUF

NUM_LEASES=`wc -l $BUF | awk '{ print $1 }'`
if [ $NUM_LEASES -gt 1 ]
then
        # >1 lease for this mac, help!
        exit 1
elif [ $NUM_LEASES -ne 1 ]
then
        # no leases
        exit 1
else
        ip=`cut -d ' ' -f 1 $BUF`
        echo $ip
fi


What do you think about this ?
Have you an other solution ?

Sorry my english is rusty ... and thanks for your answers

Your english is better than my - well, anything!


Regards,

Psymad


Hope that helps
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to