mad wrote:
Hello,
I have a freeradius server, I use an eap/ttls authentication with 802.1x
and ldap.
I want to save the username, the ip adress, the MAC address, the start
time and the stop time of the connection with the accounting function
(with mysql).
I have a problem with the ip address ... because it's dhcpd who give an
ip address at the client, so freeradius can't have this information.
Correct
I have try ippool in freeradius (freeradius want to give an ip address
but the client don't receive). Also I have read that it's impossible to
use ippool with eap and when there are access point and/or swith between
client and server ... it's true ?
I'm afraid so. EAP happens before IPs are assigned, and doesn't interact
with DHCP.
I have also try other solutions (with syslog-ng who get the ip address
in the log and insert in acct table ..., a scripts with omshell who
permit to freeradius to indicate at dhcpd what ip address give at this
client ...) BUT I think this solution are very unstable ...
The omshell one is a clever idea. But you're right, it's not very stable.
I think for the moment processing the DHCP logs or lease database and
adding it to the radius accouting table will be needed.
The other way would be to get a list of IP->mac (either by processing
the logs or "snmpwalk ipnettomedia" of the router) and dump them to a
file, then use the "hints" and an "exec" module to insert the IP into
the accounting requests. Obviously the accounting-start will happen
before you have that info, but the interim and accounting-stop should be
ok. So, something like this in "hints":
DEFAULT
Framed-IP-Address = `{exec:lookup_ip}`
and in radiusd.conf:
modules {
exec lookup_ip {
wait = yes
program = "/usr/local/bin/lookup_ip"
input_pairs = request
}
}
If you have access to the DHCP servers leases database (assuming ISC
dhcpd) then the following would work as a script (or something like it -
this is untested):
#!/bin/sh
BUF=`mktemp`
if [ $? -ne 0 ]
then
exit 1
fi
trap "rm -f $BUF" EXIT
# Radius attributes are in environment variables
# Calling-Station-Id is...
MAC="$CALLING_STATION_ID"
if [ -z "$MAC" ]
then
exit 1
fi
DHCP_LEASES=/var/lib/dhcp/dhcpd.leases
awk -v MAC=$MAC '
/^#/ { next; }
/^lease / { our_lease=0; ip=$2; next; }
/^}/ {
if (our_lease) {
if (state!="active")
del leases[ip];
else
leases[ip] = mac;
}
ip = "";
our_lease = 0;
next;
}
{
if (!ip)
next;
if ($1=="binding" && $2=="state") {
state = $3;
gsub(/;/,"",state);
} else if ($1=="hardware" && $2=="ethernet") {
mac = $3;
gsub(/;/,"",mac);
if (mac==MAC) {
our_lease = 1;
}
}
}
END {
for (ip in leases) {
print ip, mac;
}
}' $DHCP_LEASES >$BUF
NUM_LEASES=`wc -l $BUF | awk '{ print $1 }'`
if [ $NUM_LEASES -gt 1 ]
then
# >1 lease for this mac, help!
exit 1
elif [ $NUM_LEASES -ne 1 ]
then
# no leases
exit 1
else
ip=`cut -d ' ' -f 1 $BUF`
echo $ip
fi
What do you think about this ?
Have you an other solution ?
Sorry my english is rusty ... and thanks for your answers
Your english is better than my - well, anything!
Regards,
Psymad
Hope that helps
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html