Cisco NAS and server side ip pool management
Hi, for many hours now I am trying to configure a Cisco router as a NAS to authenticate dialup users against freeradius and provide the ip address dynamically from a server based ip pool. The authentication part works fine and the ip address also gets selected from the pool and sent as Framed-IP-Address back to the NAS. The only thing is that the ip address seems not to be catched up by the NAS and provided to the dialup user. I test the dialup connection from a Windows XP machine with an ISDN card and there it always ends in an error message that the NAS didn't provide the IP information. It is absolutely no problem to use a static ip pool on the Cisco router instead of a server based ip pool management. Can someone please send me a working configuration example for a Cisco IOS based NAS? Thanks Sebastian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco NAS and server side ip pool management
aaa new-model aaa authentication login default local aaa authentication ppp default group radius local aaa accounting network default start-stop group radius aaa authorization network default group radius radius-server host ip of radius auth-port authorization-port acct-port accounting-port non-standard key secret A local ip pool is not used, if your radius sends a FRAMED_IP-ADRESS. There is no difference if it is configured or not. Radius wins. -- Thoralf Freitag Manager Health Services System Administration Phone: +49 (0) 30 68905-4611 Cellular:+49 (0) 151 1631-4611 Fax:+49 (0) 30 68905-2940 Mail: thoralf.frei...@biotronik.com From: Sebastian Krieger s...@ts.tsimail.de To: freeradius-users@lists.freeradius.org Date: 13.02.09 16:56 Subject: Cisco NAS and server side ip pool management Sent by: freeradius-users-bounces+thoralf.freitag=biotronik@lists.freeradius.org Hi, for many hours now I am trying to configure a Cisco router as a NAS to authenticate dialup users against freeradius and provide the ip address dynamically from a server based ip pool. The authentication part works fine and the ip address also gets selected from the pool and sent as Framed-IP-Address back to the NAS. The only thing is that the ip address seems not to be catched up by the NAS and provided to the dialup user. I test the dialup connection from a Windows XP machine with an ISDN card and there it always ends in an error message that the NAS didn't provide the IP information. It is absolutely no problem to use a static ip pool on the Cisco router instead of a server based ip pool management. Can someone please send me a working configuration example for a Cisco IOS based NAS? Thanks Sebastian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html www.biotronik.com BIOTRONIK GmbH Co. KG Woermannkehre 1, 12359 Berlin, Germany Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501 Vertreten durch ihre Komplementärin: BIOTRONIK Mess- und Therapiegeräte GmbH Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 2918 Geschäftsführer: Dr. Max Schaldach, Christoph Böhmer, Dr. Werner Braun, Dr. Lothar Krings This email and the information it contains including attachments are confidential and meant only for use by the intended recipient(s); disclosure or copying is strictly prohibited. If you are not addressed, but in the possession of this email, please notify the sender immediately and delete the document. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
server side ip pool management problem
ahissi jean-françois a écrit : Hello, I need help! I have a freeradius server 1.1.3 with mysql 4.1.11 backend and we manage ip address pools with the NAS (Redback SMS), it works fine. Now we need to have subscribers groups with particular ip address pools for each group. I don't how to configure it with the NAS so i want to manage this with freeradius but i don't exactly know how to configure it with users file because i think that i can't use at the same time mysql database and users file. thanks for your help! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : RE : IP Pool management and Re-authentication
Thibault Le Meur wrote: I've patched the radiusplugin to add Framed-IP-Address to the re-auth request but rlm_ippool still allocates a new IP Address (I'm using FR 1.1.4). Ok. It seems like rlm_ippool should be updated to look for Framed-IP-Address in the request. That would be very useful, and would solve the problem you're seeing. Alan DeKok. Do you mean updated (to 1.1.5) or patched ? Never mind I found the answer by looking at the code from rlm_ippool.c. Currently, when an Access-Request arrives, rlm_ippool: * looks in the pool for an 'active' entry (flagged as active) with the key=NAS-IP/NAS-port * If no entry is found == rlm_ippool allocates an @IP from the pool * If an active entry is found == it is considered as a stale entry and is marked as not active (active=0) == then a new IP is allocated If rlm_ippool is 'updated' to take Framed-IP-Address into account what shoudl be the behaviour ? A simple patch would consist of doing nothing at Post-Auth time if the request contains a Framed-IP-Address. A more complex patch should handle several different cases and decide what to do. For instance: * when Access-Request is received, look for an active entry in the pool with the search key NAS-IP/NAS-port * If no entry is found * If there is No Framed-IP-Address attribute in the Request == allocate a new @IP from the pool * If there is a Framed-IP-Address attribute in the Request * If the Framed-IP-Address belongs to the IP-range of the pool (but it is not assigned to this NAS-IP/NAS-port) == then issue a warning log (especially if this IP is allocated to an active entry for another NAS-IP/NAS-port) == do not allocate a new @IP ??? (Or should we enforce a new IP, without beeing sure the NAS will be able to use it ?) * If the Framed-IP-Address doesn't belong to the IP-range of the pool == do not allocate a new @IP * If an entry is found (there is already an allocated @IP for this NAS-IP/NAS-port) * If there is a Framed-IP-Address attribute in the Request * If this Framed-IP-Address is the same as the allocated IP from the entry found == then do nothing (no stale marking, no new @IP allocation) * If this Framed-IP-Address is NOT the same as the allocated IP from the entry found == then mark the current entry as staled (active=0) == report an error in the log because something went wrong (especially if the Framed-IP-Address received is allocated to another NAS-IP/NAS-port entry in the pool) == do not allocate a new @IP * If there is No Framed-IP-Address attribute in the Request == then mark the current entry as staled (active=0) == allocate a new @IP What do you think ? Is it already done in current developpement tree ? Regards, Thibault Le Meur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Solution: IP Pool management and Re-authentication
Thibault Le Meur wrote:
I've patched the radiusplugin to add Framed-IP-Address to
the re-auth
request but rlm_ippool still allocates a new IP Address
(I'm using FR
1.1.4).
Ok. It seems like rlm_ippool should be updated to look for
Framed-IP-Address in the request.
That would be very useful, and would solve the problem
you're seeing.
Alan DeKok.
For those interested in an interim solution, here is a workaround:
1- make sure your NAS sends a Framed-IP-Address attribute in the
Access-Request when a re-authentication is performed (that is to say for
openvpn, use a patched version of radiusplugin)
2- Setup 2 Post-Auth-Types in the post-auth section:
Post-Auth-Type postauth.ovpn {
Ovpn_Main_Pool
reply_log
}
Post-Auth-Type postauth.ovpn.reauth {
reply_log
}
3- in the users file (for instance) dispatch incomming Access-Requests based
on the presence of the Framed-IP-Address attribute:
DEFAULT Framed-IP-Address !* Any, Huntgroup-Name == srvs-vpn-ovpn,
Post-Auth-type := postauth.ovpn
Fall-Through = no
DEFAULT Framed-IP-Address =* Any, Huntgroup-Name == srvs-vpn-ovpn,
Post-Auth-type := postauth.ovpn.reauth
Fall-Through = no
Thanks Alan for your help,
Regards,
Thibault
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : IP Pool management and Re-authentication
Hi Alan, I'd like to patch the openvpn-radiusplugin so that an extra attribute is sent in the Access-Accept packets so that FR will be able to differentiate Initial and Renegociation Access-Accept requests and only assign new IP address from the pool on Initial Access-Accept requests. I think you mean Access-Request packet. Sorry for the mistake, I meant Access-Request of course If it doesn't have a Framed-IP-Address attribute, FreeRADIUS can allocate send one in an Access-Accept. If openvpn re-authenticates a session with an existing IP address, it should send Framed-IP-Address in the Access-Request. I get you right, my patch may be as easy as to make radiusplugin add the Framed-IP-Address attribute in the Access-Request packet with the already assigned IP Address when it is a renegotiation. I've patched the radiusplugin to add Framed-IP-Address to the re-auth request but rlm_ippool still allocates a new IP Address (I'm using FR 1.1.4). I can see this in radiusd -X: modcall: entering group postauth.ovpn for request 3 rlm_ippool: Searching for an entry for nas/port: 192.168.1.1/1 rlm_ippool: Found a stale entry for ip/port: 10.1.1.1/1 rlm_ippool: num: 0 rlm_ippool: Searching for an entry for nas/port: 192.168.1.1/1 rlm_ippool: Allocating ip to nas/port: 192.168.1.1/1 rlm_ippool: num: 1 rlm_ippool: Allocated ip 10.1.1.2 to client on nas 192.168.1.1,port 1 modcall[post-auth]: module Ovpn_Main_Pool returns ok for request 3 Where: * 192.168.1.1 is the NAS IP Address * 10.1.1.1 is the IP address allocated at connection time * 10.1.1.2 is the IP address allocated at re-authentication time Maybe I didn't understand you well: * Is rlm_ippool supposed to return NOOP if a Framed-IP-Address attribute is present in the Request ? OR * is it up to me to bypass the rlm_ippool (by setting another Post-Auth-Type) when a Re-Auth Request is performed (that is to say when a Framed-IP-Address attribute is present in the Request) ? Thanks in advance, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : IP Pool management and Re-authentication
Thibault Le Meur wrote: I've patched the radiusplugin to add Framed-IP-Address to the re-auth request but rlm_ippool still allocates a new IP Address (I'm using FR 1.1.4). Ok. It seems like rlm_ippool should be updated to look for Framed-IP-Address in the request. That would be very useful, and would solve the problem you're seeing. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : IP Pool management and Re-authentication
Thibault Le Meur wrote: I've patched the radiusplugin to add Framed-IP-Address to the re-auth request but rlm_ippool still allocates a new IP Address (I'm using FR 1.1.4). Ok. It seems like rlm_ippool should be updated to look for Framed-IP-Address in the request. That would be very useful, and would solve the problem you're seeing. Alan DeKok. Do you mean updated (to 1.1.5) or patched ? I made a quick diff between rlm_ippool.c from 1.1.4 and 1.1.5 and I can't see any difference so I think the problem I'm seeing is still present in 1.1.5. Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : RE : IP Pool management and Re-authentication
I've been using OpenVPN + Ralf's Radiusplugin for several months and recently moved away from server-side IP assignment. However, while I did use it, I found that in my configuration FreeRADIUS only assigned new IPs when the accounting for that user had stopped (ie, if it recieved a STOP packet). This meant, that once I'd crashed the openvpn server 3 times with users on it :-) there were many IP's who were 'lost' - their sessions had never ended, hence the IP was never returned to the pool. I was doing renegotiation every 20 minutes if I remember correctly, and the freeradius replied with the same IP for the user time and time again. Hence, I'm beginning to wonder if it's configuration-specific, because I didn't have any problems. Hope this helps, Jan On 21/03/07, Thibault Le Meur [EMAIL PROTECTED] wrote: Thibault Le Meur wrote: I've patched the radiusplugin to add Framed-IP-Address to the re-auth request but rlm_ippool still allocates a new IP Address (I'm using FR 1.1.4). Ok. It seems like rlm_ippool should be updated to look for Framed-IP-Address in the request. That would be very useful, and would solve the problem you're seeing. Alan DeKok. Do you mean updated (to 1.1.5) or patched ? I made a quick diff between rlm_ippool.c from 1.1.4 and 1.1.5 and I can't see any difference so I think the problem I'm seeing is still present in 1.1.5. Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : IP Pool management and Re-authentication
quote I've been using OpenVPN + Ralf's Radiusplugin for several months and recently moved away from server-side IP assignment. However, while I did use it, I found that in my configuration FreeRADIUS only assigned new IPs when the accounting for that user had stopped (ie, if it recieved a STOP packet). /quote Curious this is not what I see here ?? What is/was your FR server version ? Anyway, Alan said that a 'good nas' should send the Framed-IP-Address in the Access-Request if it has been already assigned one: this wasn't done by radiusplugin, thus I think I'll keep the pacth. quote This meant, that once I'd crashed the openvpn server 3 times with users on it :-) there were many IP's who were 'lost' - their sessions had never ended, hence the IP was never returned to the pool. /quote Sure, this is also true for my others NAS (pppd based), but they are quite robust (I hope openvpn is/will be as robust ;-)). quote I was doing renegotiation every 20 minutes if I remember correctly, and the freeradius replied with the same IP for the user time and time again. /quote Interesting, what could explain that mine allocate new IP addresses each time ? Should rlm_ippool allocate the same IP for a NAS-IP/NAS-port couple if the entry isn't cleaned from the pool ? (Anyway, I think it's better to have FR not re-send Framed-IP-Address since it would cause an unsuseful write to the client-config file from the radiusplugin.) quote Hence, I'm beginning to wonder if it's configuration-specific, because I didn't have any problems. /quote I can trust you, but I don't know where to search for a setup mistake. Does someone has an idea ? Thanks in advance, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IP Pool management and Re-authentication
Hi, I'm using a system (openvpn) with 'radiusplugin' to let FR authenticate users and manage IP Pools. Openvpn sometimes needs to renegotiate the connections and thus sends authentication requests while the connection is still active (with an already assigned IP address): this causes FR to assign a new IP address from the pool (which seems normal since FR has no way to know this is a renegotiation). I'd like to patch the openvpn-radiusplugin so that an extra attribute is sent in the Access-Accept packets so that FR will be able to differentiate Initial and Renegociation Access-Accept requests and only assign new IP address from the pool on Initial Access-Accept requests. Do you know a standard Radius attribute that could be used for this ? As far as you know, are there other NASes using such a quirk ? Does this make sense ? Thanks in advance, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pool management and Re-authentication
Thibault Le Meur wrote: Openvpn sometimes needs to renegotiate the connections and thus sends authentication requests while the connection is still active (with an already assigned IP address): this causes FR to assign a new IP address from the pool (which seems normal since FR has no way to know this is a renegotiation). So why isn't the radiusplugin telling FreeRADIUS what the old IP address was? I'd like to patch the openvpn-radiusplugin so that an extra attribute is sent in the Access-Accept packets so that FR will be able to differentiate Initial and Renegociation Access-Accept requests and only assign new IP address from the pool on Initial Access-Accept requests. I think you mean Access-Request packet. If it doesn't have a Framed-IP-Address attribute, FreeRADIUS can allocate send one in an Access-Accept. If openvpn re-authenticates a session with an existing IP address, it should send Framed-IP-Address in the Access-Request. Do you know a standard Radius attribute that could be used for this ? As far as you know, are there other NASes using such a quirk ? Does this make sense ? It makes sense. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : IP Pool management and Re-authentication
Thanks for your reply, Thibault Le Meur wrote: Openvpn sometimes needs to renegotiate the connections and thus sends authentication requests while the connection is still active (with an already assigned IP address): this causes FR to assign a new IP address from the pool (which seems normal since FR has no way to know this is a renegotiation). So why isn't the radiusplugin telling FreeRADIUS what the old IP address was? Because It's still beta ;-), I can fix this I'd like to patch the openvpn-radiusplugin so that an extra attribute is sent in the Access-Accept packets so that FR will be able to differentiate Initial and Renegociation Access-Accept requests and only assign new IP address from the pool on Initial Access-Accept requests. I think you mean Access-Request packet. Sorry for the mistake, I meant Access-Request of course If it doesn't have a Framed-IP-Address attribute, FreeRADIUS can allocate send one in an Access-Accept. If openvpn re-authenticates a session with an existing IP address, it should send Framed-IP-Address in the Access-Request. I get you right, my patch may be as easy as to make radiusplugin add the Framed-IP-Address attribute in the Access-Request packet with the already assigned IP Address when it is a renegotiation. Thanks a lot Alan. Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[Fwd: IP Pool management]
Original Message Subject: IP Pool management From:[EMAIL PROTECTED] Date:Fri, July 21, 2006 10:16 am To: freeradius-users@lists.freeradius.org -- Hi, I am new to radius. I want to understand functionality of IP Pool management and 802.1x,means EAP,EAP-MD5,LEAP . How can I customize the same using free radius ? Thanxs to all Darshak - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ip pool management
Yes you are right. Luaching the server in debug mode told me that Pool-name is a check item and that it should be on the first line. The problem is that it is complaining: rlm_ippool: could not find Pool-Name attribute For my *newbie* understanding, if the Pool-name is a check item it should be in the request I get from my clients. I'm true ? If yes, I can't modify the I got from the NAS (it's not mine). So is there a way to use ippool without this check item ? Thanks for your help. Regards, -- Sebastien Cantos [EMAIL PROTECTED] Network / System Manager Neopost DIVA -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Alan DeKok Envoyé : mercredi 2 mars 2005 18:50 À : freeradius-users@lists.freeradius.org Objet : Re: Ip pool management Sébastien Cantos [EMAIL PROTECTED] wrote: I've followed instructions in radiusd.conf : My users file looks like this: DEFAULT Service-Type == Framed-User Pool-Name := osiris-pool, You did not follow the instructions in radiusd.conf. The Pool-Name attribute should go on the first line. If you had run the server in debugging mode, the server would have told you this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ip pool management
Sébastien Cantos [EMAIL PROTECTED] wrote: The problem is that it is complaining: rlm_ippool: could not find Pool-Name attribute The *module* is printing that message because the Pool-Name attribute is not found in the list of check items. For my *newbie* understanding, if the Pool-name is a check item it should be in the request I get from my clients. No. Nothing in the server documentation would lead you to that conclusion. The documentation would lead you to the *correct* conclusion, which is that the check items are not the request items. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ip pool management
Ok it works with : DEFAULT Service-Type == Framed-User, Pool-Name := main_pool Framed-Protocol = PPP, Framed-MTU = 576 Thanks a lot for your help. Kind Regards, -- Sebastien Cantos [EMAIL PROTECTED] Network / System Manager Neopost DIVA -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Alan DeKok Envoyé : jeudi 3 mars 2005 17:41 À : freeradius-users@lists.freeradius.org Objet : Re: Ip pool management Sébastien Cantos [EMAIL PROTECTED] wrote: The problem is that it is complaining: rlm_ippool: could not find Pool-Name attribute The *module* is printing that message because the Pool-Name attribute is not found in the list of check items. For my *newbie* understanding, if the Pool-name is a check item it should be in the request I get from my clients. No. Nothing in the server documentation would lead you to that conclusion. The documentation would lead you to the *correct* conclusion, which is that the check items are not the request items. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ip pool management
Hi,
I've followed instructions in radiusd.conf :
My users file looks like this:
DEFAULT Service-Type == Framed-User
Pool-Name := osiris-pool,
Framed-Protocol = PPP,
Framed-MTU = 576
And in my radiusd.conf I've:
post-auth {
# Get an address from the IP Pool.
# main_pool
osiris-pool
...
}
modules {
...
ippool osiris-pool {
range-start = 192.168.52.1
range-stop = 192.168.52.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
}
}
I get this error :
rlm_ippool: could not find Pool-Name attribute
And my client doesn't get back the IP.
I surely miss something Could someone help me please ?
Regards,
--
Sebastien Cantos [EMAIL PROTECTED]
Network / System Manager
Neopost DIVA
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la
part de Alan DeKok
Envoyé : mardi 1 mars 2005 18:50
À : freeradius-users@lists.freeradius.org
Objet : Re: Ip pool management
Sébastien Cantos [EMAIL PROTECTED] wrote:
I would like to configure my radius to give the first
available IP in the
subnet 192.168.52.0/24 without carrying about the NAS modem number.
Is there a way to configure this ?
Read radiusd.conf. Look for ippool
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ip pool management
Sébastien Cantos [EMAIL PROTECTED] wrote: I've followed instructions in radiusd.conf : My users file looks like this: DEFAULT Service-Type == Framed-User Pool-Name := osiris-pool, You did not follow the instructions in radiusd.conf. The Pool-Name attribute should go on the first line. If you had run the server in debugging mode, the server would have told you this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IP Pool management into MySQL
Hello, I'm working in a failover scenario where a NAS has two freeradius servers configured and in case of fail of the current radius active it will forward the querys to the backup radius. This is working fine with no problem. The problem is that if I'm using DHCP I have to manage the pool in the NAS because freeradius stores the status of the pool locally. Is there a way to move ip pool mgmt into MySQL so in case of failure of the active, the backup radius can get the status of the pool? Thanks in advance. Regards -- David Manchado - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ip pool management
Hi, I've something like this in my user file: DEFAULT Service-Type == Framed-User Framed-Protocol = PPP, Framed-MTU = 576, Framed-IP-Address = 192.168.52.1+, Framed-IP-Netmask = 255.255.255.0 I've noticed that the IP on the client side depends on the NAS modem number. For example if modem is number 1 the IP is 192.168.52.1, is modem is number 10, ip is 192.168.52.10. I would like to configure my radius to give the first available IP in the subnet 192.168.52.0/24 without carrying about the NAS modem number. Is there a way to configure this ? Regards, -- Sebastien Cantos [EMAIL PROTECTED] Network / System Manager Neopost DIVA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ip pool management
Sébastien Cantos [EMAIL PROTECTED] wrote: I would like to configure my radius to give the first available IP in the subnet 192.168.52.0/24 without carrying about the NAS modem number. Is there a way to configure this ? Read radiusd.conf. Look for ippool Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
