Re: IP Pool for Ethernet
Groebl, Laurence (Laurence) wrote: > Hello Alan, > > Yes, according to the documentation of the Juniper Gateway, the gateway > should be able to understand the Radius attribute 8 "Framed-IP-Address" in > the Access-Accept message, but it seems that it also need the attribute 88 " > Framed-Pool". > > This is described in "Concepts & Examples ScreenOS Reference Guide, User > Authentication document", chapter "Framed Pool and Framed IP Address" page > 26, > http://www.juniper.net/techpubs/software/screenos/screenos6.3.0/630_ce_UserAuth.pdf > > And then the Gateway should be able to send this address in the IKEv2 > configuration payload to the IPsec client (this ikev2 interface is already > working with local address assignment in the gateway, we tested it). So... send those attributes back in an Access-Accept. You don't need to configure IP Pools to return a bogus Framed-IP-Address. If that works, *then* you should consider configuring IP pools. Until then, you're 2-3 steps ahead of yourself. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: IP Pool for Ethernet
Hi we indeed already tried sending only the Framed-IP-Address in the Access-Accept and it didn't work, the Gateway didn't assign this address to the IPsec client, but a default IP address. I also didn't understand why the Framed-Pool attribute is a must in the Gateway, Juniper supports only the following cases (extract from the Screen OS documentation): Case 1: Framed-Pool attribute and the Framed-IP-Address attribute are both included in the Access-Accept message. => The Framed-Pool attribute is always ignored by the RADIUS server unless the framed-IP-Address value is 0xFFFE (255.255.255.254). Then, the device allocates an address from the Framed-Pool attribute sent by the RADIUS server Case 2: Framed-Pool attribute and the Framed-IP-Address attribute are both absent from the Access-Accept message. => The device does not assign an IP address to the end user. Case 3: Framed-IP-Address attribute is included in the Access-Accept message and it has a value of 0xFFFE (255.255.255.254). BUT Framed-Pool attribute is absent. => The device allocates an IP address from the default IP address pool that is configured for that virtual system. Case 4 : The pool sent out in the Framed-Pool attribute is not configured, or it does not have any IP addresses. An error messages are generated and the negotiation is terminated. Best regards, Laurence -Original Message- From: freeradius-users-bounces+laurence.groebl=alcatel-lucent@lists.freeradius.org [mailto:freeradius-users-bounces+laurence.groebl=alcatel-lucent@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Dienstag, 1. März 2011 11:56 To: freeradius-users@lists.freeradius.org Subject: Re: IP Pool for Ethernet On 01/03/11 10:39, Groebl, Laurence (Laurence) wrote: > Hello Alan, > > Yes, according to the documentation of the Juniper Gateway, the > gateway should be able to understand the Radius attribute 8 > "Framed-IP-Address" in the Access-Accept message, but it seems that > it also need the attribute 88 " Framed-Pool". That doesn't make sense. You can't send it a specific IP, and an attribute telling it to pick an IP from a local pool, and expect any sensible behaviour. Have you tried just sending the Framed-IP-Address? Also, your subject line is wrong - this is nothing to do with "Ethernet" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pool for Ethernet
On 01/03/11 10:39, Groebl, Laurence (Laurence) wrote: Hello Alan, Yes, according to the documentation of the Juniper Gateway, the gateway should be able to understand the Radius attribute 8 "Framed-IP-Address" in the Access-Accept message, but it seems that it also need the attribute 88 " Framed-Pool". That doesn't make sense. You can't send it a specific IP, and an attribute telling it to pick an IP from a local pool, and expect any sensible behaviour. Have you tried just sending the Framed-IP-Address? Also, your subject line is wrong - this is nothing to do with "Ethernet" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: IP Pool for Ethernet
Hello Alan, Yes, according to the documentation of the Juniper Gateway, the gateway should be able to understand the Radius attribute 8 "Framed-IP-Address" in the Access-Accept message, but it seems that it also need the attribute 88 " Framed-Pool". This is described in "Concepts & Examples ScreenOS Reference Guide, User Authentication document", chapter "Framed Pool and Framed IP Address" page 26, http://www.juniper.net/techpubs/software/screenos/screenos6.3.0/630_ce_UserAuth.pdf And then the Gateway should be able to send this address in the IKEv2 configuration payload to the IPsec client (this ikev2 interface is already working with local address assignment in the gateway, we tested it). Best regards, Laurence -Original Message- From: freeradius-users-bounces+laurence.groebl=alcatel-lucent@lists.freeradius.org [mailto:freeradius-users-bounces+laurence.groebl=alcatel-lucent@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Dienstag, 1. März 2011 10:00 To: FreeRadius users mailing list Subject: Re: IP Pool for Ethernet Groebl, Laurence (Laurence) wrote: > However I'd like the RADIUS server to assign this IP address and send it > within the Access-Accept in the Framed-IP-Address attribute (to avoid > configuring the IPsec Gateway with the tunnel address). Does the gateway *understand* what it means to have an address in the Access-Accept? If the documentation doesn't say it will work, then it won't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pool for Ethernet
Groebl, Laurence (Laurence) wrote: > However I’d like the RADIUS server to assign this IP address and send it > within the Access-Accept in the Framed-IP-Address attribute (to avoid > configuring the IPsec Gateway with the tunnel address). Does the gateway *understand* what it means to have an address in the Access-Accept? If the documentation doesn't say it will work, then it won't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool
Maybe you can define your pools similiar like this (not tested) DEFAULT Called-Station-Id == ", Pool-Name :="pool_1" Fall-Through = Yes DEFAULT Called-Station-Id == ", Pool-Name :="pool_2" Fall-Through = Yes Ciao TF From: sugiarto tjahyono <[EMAIL PROTECTED]> To: freeradius-users@lists.freeradius.org Date: 26.11.08 10:30 Subject: ip pool Sent by: [EMAIL PROTECTED] Dear all, I have a few problem. i use ip pool and it's works fine if i define ip pool in mysql. 779084,"test","password","=","test123" 779085,"test","Pool-Name",":=","main_pool1" 779086,"test","Called-Station-Id","=","hostpot1" The problem happened if i have 2 access point in the same area and IP the different is only at called-station-id. what should i set in radius if any user can go to AP 1 with Called-Station-Id 1 or AP 2 with Called-Station-Id 2. if user logged in AP1 they will get main_pool1 and if user logged in AP2 they will get main_pool2 sorry for my bad language:) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html www.biotronik.com BIOTRONIK GmbH & Co. KG Woermannkehre 1, 12359 Berlin, Germany Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501 Vertreten durch ihre Komplementärin: BIOTRONIK Mess- und Therapiegeräte GmbH Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 2918 Geschäftsführer: Dr. Max Schaldach, Christoph Böhmer, Dr. Werner Braun, Dr. Lothar Krings This email and the information it contains including attachments are confidential and meant only for use by the intended recipient(s); disclosure or copying is strictly prohibited. If you are not addressed, but in the possession of this email, please notify the sender immediately and delete the document. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool problem
thanks. I think that's the problem. Luis Ivan Kalik escribió: Could it be a problem from the NAS params sent to radius? It could - if NAS-Port parameter is the same for all users. If user C logs out IP adresses will be released from the pool and B will be able to get A's IP address. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool problem
> >Could it be a problem from the NAS params sent to radius? It could - if NAS-Port parameter is the same for all users. If user C logs out IP adresses will be released from the pool and B will be able to get A's IP address. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pool defined, but radius does not hand out an IP address.
Andrew D Kirch wrote: > You might try putting it at the top of radiusd.conf Done. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pool defined, but radius does not hand out an IP address.
Andrew D Kirch wrote: > When I connect a client to freeradius the client authenticates, gets an > accept/accept, but does not get an IP address. I've tried it with the > Group and Pool-Name directives in each client's block, and I've tried it > with them in a DEFAULT by themselves. Neither has handed out an IP > address. ... > radius:/etc/freeradius# freeradius -v > freeradius: FreeRADIUS Version 1.1.3, for host i486-pc-linux-gnu, built > on Dec 16 2006 at 23:48:11 You should upgrade to at least 1.1.6, maybe 2.0.1 And with all of the information you posted, you didn't include the most important, which is requested in the FAQ, README, INSTALL, "man" page, and daily on this list: radiusd -X. Is there some other place in the documentation where this should be suggested? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pool defined, but radius does not hand out an IP address.
It's all in black and white:
# for different users. The Pool-Name attribute is a *check* item not
# a reply item.
#
# Example:
# radiusd.conf: ippool students { [...] }
# users file : DEFAULT Group == students, Pool-Name := "students"
#
Yet, you have put it as a reply item.
Ivan Kalik
Kalik Informatika ISP
Dana 24/1/2008, "Andrew D Kirch" <[EMAIL PROTECTED]> piše:
>When I connect a client to freeradius the client authenticates, gets an
>accept/accept, but does not get an IP address. I've tried it with the
>Group and Pool-Name directives in each client's block, and I've tried it
>with them in a DEFAULT by themselves. Neither has handed out an IP address.
>
>System vitals:
>radius:/etc/freeradius# uname -a
>Linux radius 2.6.18-5-686 #1 SMP Mon Dec 24 16:41:07 UTC 2007 i686 GNU/Linux
>radius:/etc/freeradius# cat /etc/debian_version
>4.0
>radius:/etc/freeradius# freeradius -v
>freeradius: FreeRADIUS Version 1.1.3, for host i486-pc-linux-gnu, built
>on Dec 16 2006 at 23:48:11
>
># radtest umcc xx localhost 0 xxx
>Sending Access-Request of id 144 to 127.0.0.1 port 1812
>User-Name = "umcc"
>User-Password = "bts10200"
>NAS-IP-Address = 255.255.255.255
>NAS-Port = 0
>rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=144, length=44
>Service-Type = Framed-User
>Framed-IP-Netmask = 255.255.255.255
>Framed-Protocol = PPP
>Framed-Compression = Van-Jacobson-TCP-IP
>
>radius.log:
>Thu Jan 24 11:20:51 2008 : Info: rlm_exec: Wait=yes but no output
>defined. Did you mean output=none?
>Thu Jan 24 11:20:51 2008 : Info: Ready to process requests.
>Thu Jan 24 11:32:33 2008 : Auth: Login OK: [umcc] (from client
>localhost-testing port 0)
>
>users:
>umccUser-Password == "xx"
>Service-Type = Framed-User,
>Framed-IP-Netmask = 255.255.255.255,
>Group == main_pool,
>Pool-Name := "main_pool",
>Framed-Protocol = PPP,
>Framed-Compression = Van-Jacobsen-TCP-IP
>
>radiusd.conf (pertinent sections)
> ippool main_pool {
>range-start = 208.64.35.2
>range-stop = 208.64.35.254
>netmask = 255.255.255.255
>cache-size = 253
>session-db = ${raddbdir}/db.ippool
>ip-index = ${raddbdir}/db.ipindex
>override = yes
>maximum-timeout = 0
>}
>accounting {
>detail
>unix
>radutmp
>main_pool
>}
>post-auth {
>main_pool
>}
>
>
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pool defined, but radius does not hand out an IP address.
Alan DeKok wrote: Andrew D Kirch wrote: When I connect a client to freeradius the client authenticates, gets an accept/accept, but does not get an IP address. I've tried it with the Group and Pool-Name directives in each client's block, and I've tried it with them in a DEFAULT by themselves. Neither has handed out an IP address. ... radius:/etc/freeradius# freeradius -v freeradius: FreeRADIUS Version 1.1.3, for host i486-pc-linux-gnu, built on Dec 16 2006 at 23:48:11 You should upgrade to at least 1.1.6, maybe 2.0.1 And with all of the information you posted, you didn't include the most important, which is requested in the FAQ, README, INSTALL, "man" page, and daily on this list: radiusd -X. Is there some other place in the documentation where this should be suggested? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html You might try putting it at the top of radiusd.conf, everyone's eventually going to see that. Because I use Debian the others are packaged and abstracted away. I used the Freeradius wiki quite a bit as well, and perhaps it could be more visible there too. In fact I think this might be an honorable use of the element as I was able to use the freeradius -X output to immediately debug my problem. Thank you for the help. Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pool defined, but radius does not hand out an IP address.
On Thursday 24 January 2008 13:10:09 Alan DeKok wrote: > And with all of the information you posted, you didn't include the > most important, which is requested in the FAQ, README, INSTALL, "man" > page, and daily on this list: radiusd -X. > > Is there some other place in the documentation where this should be > suggested? > > Alan DeKok. Big red letters on the front page of the website. Or below the subscribe/unsubscribe line in the footer of every message. =) -Kevin signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pool
Sounds like a plan, I'll give it a try. Thanks! -- Marcelus Trojahn [EMAIL PROTECTED] wrote: How about multiple pools - one for each subnet. If I recall well, you add all the ippools to post-auth section of radiusd.conf and use Pool-Name := DEFAULT. That worked some years ago. Haven't tried it lately. Ivan Kalik Kalik Informatika ISP Dana 6/12/2007, "Marcelus Trojahn" <[EMAIL PROTECTED]> piše: Hi folks, I have a PPPoE server which authenticates the user on freeradius... Right now, the PPPoE server is in charge of assigning the IPs to the users but I want to do that via radius because I'm adding another PPPoE server on the network and OSPF routing... Problem is, I had a look on radiusd.conf and what I could understand is that I can only have pools on a same network (like 192.168.0.0/23, for instance)... But I need 1 big pool with IPs in different networks because my users receive valid public IP addresses... So, I need all users on the same pool and the pool has to have a bunch of differente IP ranges, not in order, like 200.200.200.0/24, 201.10.20.0/24 and so on... Is that even possible? -- Marcelus Trojahn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pool
How about multiple pools - one for each subnet. If I recall well, you add all the ippools to post-auth section of radiusd.conf and use Pool-Name := DEFAULT. That worked some years ago. Haven't tried it lately. Ivan Kalik Kalik Informatika ISP Dana 6/12/2007, "Marcelus Trojahn" <[EMAIL PROTECTED]> piše: >Hi folks, > >I have a PPPoE server which authenticates the user on freeradius... >Right now, the PPPoE server is in charge of assigning the IPs to the >users but I want to do that via radius because I'm adding another PPPoE >server on the network and OSPF routing... > >Problem is, I had a look on radiusd.conf and what I could understand is >that I can only have pools on a same network (like 192.168.0.0/23, for >instance)... But I need 1 big pool with IPs in different networks >because my users receive valid public IP addresses... > >So, I need all users on the same pool and the pool has to have a bunch >of differente IP ranges, not in order, like 200.200.200.0/24, >201.10.20.0/24 and so on... > >Is that even possible? > >-- >Marcelus Trojahn > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ip pool lease migration
Francesco Cristofori wrote: > Is it a good idea to use rlm_ippool_tool to extract leases from radA and > then inserting them in radB with rlm_ippool_tool -n ? Why? If you need to copy information from one server to another, see "radrelay". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool for dynamic users
ann kok wrote: > Regarding to separate ip spool > eg: radius 1. ip from x.x.x.2 - x.x.x.127 > radius 2. ip from x.x.x.128 to x.x.x.254 > > if the radius1 is used up the ip, ls the client > automatically asking the radius2 to get the ip? No. But you can configure radius1 to proxy the request to radius2 if the IP pool on radius1 is completely allocated. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool for dynamic users
Hi Alan Thank you for your mail We are using a LNS this time We are using 2 radius servers. When one radius is down, 2nd radius can help for authenticate Regarding to separate ip spool eg: radius 1. ip from x.x.x.2 - x.x.x.127 radius 2. ip from x.x.x.128 to x.x.x.254 if the radius1 is used up the ip, ls the client automatically asking the radius2 to get the ip? Thank you --- Alan DeKok <[EMAIL PROTECTED]> wrote: > ann kok wrote: > > it looks like the first radius issues the ip to > the A > > DSL client. but seondary radius doesn't know this > ip > > already allocated and issue this ip to B DSL > client. > > You've configured two different RADIUS servers to > allocate the same IP > to two different people? Why? > > > How can we avoid this problem? > > Each server should have it's own IP pool. IP > pools should not be > shared between servers. > > Alan DeKok. > -- > http://deployingradius.com - The web site of > the book > http://deployingradius.com/blog/ - The blog > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > Don't pick lemons. See all the new 2007 cars at Yahoo! Autos. http://autos.yahoo.com/new_cars.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool for dynamic users
You could use the same ip pool across two NAS servers if you were only using one radius server to assign IPs. I recommend you either make one radius server handle only one NAS, so the ip pools don't collide, or used rlm_sqlipool across them both as Peter pointed out. Jan On 12/04/07, Peter Nixon <[EMAIL PROTECTED]> wrote: On Wed 11 Apr 2007, ann kok wrote: > Hi all > > I am using two radius servers for our DSL clients. > > but our client has ip conflict issue. > > it looks like the first radius issues the ip to the A > DSL client. but seondary radius doesn't know this ip > already allocated and issue this ip to B DSL client. > > Then two clients have the same ip address and cause > the ip conflict. > > How can we avoid this problem? Any of the following: * Don't use the same pool range on 2 servers (What made you think that this would work?) * Use a share storage backend (sqlippool with shared database) -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool for dynamic users
On Wed 11 Apr 2007, ann kok wrote: > Hi all > > I am using two radius servers for our DSL clients. > > but our client has ip conflict issue. > > it looks like the first radius issues the ip to the A > DSL client. but seondary radius doesn't know this ip > already allocated and issue this ip to B DSL client. > > Then two clients have the same ip address and cause > the ip conflict. > > How can we avoid this problem? Any of the following: * Don't use the same pool range on 2 servers (What made you think that this would work?) * Use a share storage backend (sqlippool with shared database) -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool for dynamic users
ann kok wrote: > it looks like the first radius issues the ip to the A > DSL client. but seondary radius doesn't know this ip > already allocated and issue this ip to B DSL client. You've configured two different RADIUS servers to allocate the same IP to two different people? Why? > How can we avoid this problem? Each server should have it's own IP pool. IP pools should not be shared between servers. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : RE : IP Pool management and Re-authentication
> > > Thibault Le Meur wrote: > > > I've patched the radiusplugin to add Framed-IP-Address to > > the re-auth > > > request but rlm_ippool still allocates a new IP Address > > (I'm using FR > > > 1.1.4). > > > > Ok. It seems like rlm_ippool should be updated to look for > > Framed-IP-Address in the request. > > > > That would be very useful, and would solve the problem > > you're seeing. > > > > Alan DeKok. > > Do you mean updated (to 1.1.5) or patched ? Never mind I found the answer by looking at the code from rlm_ippool.c. Currently, when an Access-Request arrives, rlm_ippool: * looks in the pool for an 'active' entry (flagged as active) with the key=NAS-IP/NAS-port * If no entry is found ==> rlm_ippool allocates an @IP from the pool * If an active entry is found ==> it is considered as a stale entry and is marked as not active (active=0) ==> then a new IP is allocated If rlm_ippool is 'updated' to take Framed-IP-Address into account what shoudl be the behaviour ? A simple patch would consist of doing nothing at Post-Auth time if the request contains a Framed-IP-Address. A more complex patch should handle several different cases and decide what to do. For instance: * when Access-Request is received, look for an active entry in the pool with the search key NAS-IP/NAS-port * If no entry is found * If there is No Framed-IP-Address attribute in the Request ==> allocate a new @IP from the pool * If there is a Framed-IP-Address attribute in the Request * If the Framed-IP-Address belongs to the IP-range of the pool (but it is not assigned to this NAS-IP/NAS-port) ==> then issue a warning log (especially if this IP is allocated to an active entry for another NAS-IP/NAS-port) ==> do not allocate a new @IP ??? (Or should we enforce a new IP, without beeing sure the NAS will be able to use it ?) * If the Framed-IP-Address doesn't belong to the IP-range of the pool ==> do not allocate a new @IP * If an entry is found (there is already an allocated @IP for this NAS-IP/NAS-port) * If there is a Framed-IP-Address attribute in the Request * If this Framed-IP-Address is the same as the allocated IP from the entry found ==> then do nothing (no stale marking, no new @IP allocation) * If this Framed-IP-Address is NOT the same as the allocated IP from the entry found ==> then mark the current entry as staled (active=0) ==> report an error in the log because something went wrong (especially if the Framed-IP-Address received is allocated to another NAS-IP/NAS-port entry in the pool) ==> do not allocate a new @IP * If there is No Framed-IP-Address attribute in the Request ==> then mark the current entry as staled (active=0) ==> allocate a new @IP What do you think ? Is it already done in current developpement tree ? Regards, Thibault Le Meur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : IP Pool management and Re-authentication
I've been using OpenVPN + Ralf's Radiusplugin for several months and recently moved away from server-side IP assignment. However, while I did use it, I found that in my configuration FreeRADIUS only assigned new IPs when the accounting for that user had stopped (ie, if it recieved a STOP packet). Curious this is not what I see here ?? What is/was your FR server version ? Anyway, Alan said that a 'good nas' should send the Framed-IP-Address in the Access-Request if it has been already assigned one: this wasn't done by radiusplugin, thus I think I'll keep the pacth. This meant, that once I'd crashed the openvpn server 3 times with users on it :-) there were many IP's who were 'lost' - their sessions had never ended, hence the IP was never returned to the pool. Sure, this is also true for my others NAS (pppd based), but they are quite robust (I hope openvpn is/will be as robust ;-)). I was doing renegotiation every 20 minutes if I remember correctly, and the freeradius replied with the same IP for the user time and time again. Interesting, what could explain that mine allocate new IP addresses each time ? Should rlm_ippool allocate the same IP for a NAS-IP/NAS-port couple if the entry isn't cleaned from the pool ? (Anyway, I think it's better to have FR not re-send Framed-IP-Address since it would cause an unsuseful write to the client-config file from the radiusplugin.) Hence, I'm beginning to wonder if it's configuration-specific, because I didn't have any problems. I can trust you, but I don't know where to search for a setup mistake. Does someone has an idea ? Thanks in advance, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : RE : IP Pool management and Re-authentication
I've been using OpenVPN + Ralf's Radiusplugin for several months and recently moved away from server-side IP assignment. However, while I did use it, I found that in my configuration FreeRADIUS only assigned new IPs when the accounting for that user had stopped (ie, if it recieved a STOP packet). This meant, that once I'd crashed the openvpn server 3 times with users on it :-) there were many IP's who were 'lost' - their sessions had never ended, hence the IP was never returned to the pool. I was doing renegotiation every 20 minutes if I remember correctly, and the freeradius replied with the same IP for the user time and time again. Hence, I'm beginning to wonder if it's configuration-specific, because I didn't have any problems. Hope this helps, Jan On 21/03/07, Thibault Le Meur <[EMAIL PROTECTED]> wrote: > Thibault Le Meur wrote: > > I've patched the radiusplugin to add Framed-IP-Address to > the re-auth > > request but rlm_ippool still allocates a new IP Address > (I'm using FR > > 1.1.4). > > Ok. It seems like rlm_ippool should be updated to look for > Framed-IP-Address in the request. > > That would be very useful, and would solve the problem > you're seeing. > > Alan DeKok. Do you mean updated (to 1.1.5) or patched ? I made a quick diff between rlm_ippool.c from 1.1.4 and 1.1.5 and I can't see any difference so I think the problem I'm seeing is still present in 1.1.5. Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : IP Pool management and Re-authentication
> Thibault Le Meur wrote: > > I've patched the radiusplugin to add Framed-IP-Address to > the re-auth > > request but rlm_ippool still allocates a new IP Address > (I'm using FR > > 1.1.4). > > Ok. It seems like rlm_ippool should be updated to look for > Framed-IP-Address in the request. > > That would be very useful, and would solve the problem > you're seeing. > > Alan DeKok. Do you mean updated (to 1.1.5) or patched ? I made a quick diff between rlm_ippool.c from 1.1.4 and 1.1.5 and I can't see any difference so I think the problem I'm seeing is still present in 1.1.5. Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : IP Pool management and Re-authentication
Thibault Le Meur wrote: > I've patched the radiusplugin to add Framed-IP-Address to the re-auth > request but rlm_ippool still allocates a new IP Address (I'm using FR > 1.1.4). Ok. It seems like rlm_ippool should be updated to look for Framed-IP-Address in the request. That would be very useful, and would solve the problem you're seeing. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : IP Pool management and Re-authentication
Hi Alan, > > > I'd like to patch the openvpn-radiusplugin so that an extra > > attribute > > > is sent in the Access-Accept packets so that FR will be able to > > > differentiate Initial and Renegociation Access-Accept > requests and > > > only assign new IP address from the pool on Initial Access-Accept > > > requests. > > > > I think you mean Access-Request packet. > > Sorry for the mistake, I meant Access-Request of course > > > If it doesn't have > > a Framed-IP-Address attribute, FreeRADIUS can allocate & send > > one in an Access-Accept. > > If openvpn re-authenticates a > > session with an existing IP address, it should send > > Framed-IP-Address in the Access-Request. > > I get you right, my patch may be as easy as to make > radiusplugin add the Framed-IP-Address attribute in the > Access-Request packet with the already assigned IP Address > when it is a renegotiation. I've patched the radiusplugin to add Framed-IP-Address to the re-auth request but rlm_ippool still allocates a new IP Address (I'm using FR 1.1.4). I can see this in radiusd -X: modcall: entering group postauth.ovpn for request 3 rlm_ippool: Searching for an entry for nas/port: 192.168.1.1/1 rlm_ippool: Found a stale entry for ip/port: 10.1.1.1/1 rlm_ippool: num: 0 rlm_ippool: Searching for an entry for nas/port: 192.168.1.1/1 rlm_ippool: Allocating ip to nas/port: 192.168.1.1/1 rlm_ippool: num: 1 rlm_ippool: Allocated ip 10.1.1.2 to client on nas 192.168.1.1,port 1 modcall[post-auth]: module "Ovpn_Main_Pool" returns ok for request 3 Where: * 192.168.1.1 is the NAS IP Address * 10.1.1.1 is the IP address allocated at connection time * 10.1.1.2 is the IP address allocated at re-authentication time Maybe I didn't understand you well: * Is rlm_ippool supposed to return NOOP if a Framed-IP-Address attribute is present in the Request ? OR * is it up to me to bypass the rlm_ippool (by setting another Post-Auth-Type) when a Re-Auth Request is performed (that is to say when a Framed-IP-Address attribute is present in the Request) ? Thanks in advance, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : IP Pool management and Re-authentication
Thanks for your reply, > Thibault Le Meur wrote: > > Openvpn sometimes needs to renegotiate the connections and > thus sends > > authentication requests while the connection is still > active (with an > > already assigned IP address): this causes FR to assign a new IP > > address from the pool (which seems normal since FR has no > way to know > > this is a renegotiation). > > So why isn't the radiusplugin telling FreeRADIUS what the > old IP address was? Because It's still beta ;-), I can fix this > > I'd like to patch the openvpn-radiusplugin so that an extra > attribute > > is sent in the Access-Accept packets so that FR will be able to > > differentiate Initial and Renegociation Access-Accept requests and > > only assign new IP address from the pool on Initial Access-Accept > > requests. > > I think you mean Access-Request packet. Sorry for the mistake, I meant Access-Request of course > If it doesn't have > a Framed-IP-Address attribute, FreeRADIUS can allocate & send > one in an Access-Accept. > If openvpn re-authenticates a > session with an existing IP address, it should send > Framed-IP-Address in the Access-Request. I get you right, my patch may be as easy as to make radiusplugin add the Framed-IP-Address attribute in the Access-Request packet with the already assigned IP Address when it is a renegotiation. Thanks a lot Alan. Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP Pool management and Re-authentication
Thibault Le Meur wrote: > Openvpn sometimes needs to renegotiate the connections and thus sends > authentication requests while the connection is still active (with an > already assigned IP address): this causes FR to assign a new IP address from > the pool (which seems normal since FR has no way to know this is a > renegotiation). So why isn't the radiusplugin telling FreeRADIUS what the old IP address was? > I'd like to patch the openvpn-radiusplugin so that an extra attribute is > sent in the Access-Accept packets so that FR will be able to differentiate > Initial and Renegociation Access-Accept requests and only assign new IP > address from the pool on Initial Access-Accept requests. I think you mean Access-Request packet. If it doesn't have a Framed-IP-Address attribute, FreeRADIUS can allocate & send one in an Access-Accept. If openvpn re-authenticates a session with an existing IP address, it should send Framed-IP-Address in the Access-Request. > Do you know a standard Radius attribute that could be used for this ? > As far as you know, are there other NASes using such a quirk ? Does this > make sense ? It makes sense. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ip Pool group assignment
"Giuseppina Venezia" <[EMAIL PROTECTED]> wrote: > Alan, excuse me for a question, I have read documentation but i think > that it's impossible to do it with chillispot, it's real? There isn't > opensource NAS that can do it? No idea, sorry. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ip Pool group assignment
On 8/27/06, Alan DeKok <[EMAIL PROTECTED]> wrote: Read the NAS documentation to see what magic is required to get it to accept the IP address from FreeRADIUS. Alan, excuse me for a question, I have read documentation but i think that it's impossible to do it with chillispot, it's real? There isn't opensource NAS that can do it? Thanks Giusy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ip Pool group assignment
Many thanks Alan for your fundamental help,without your help I could not have done very much. This forum owns all the characteristics that an ideal forum should have: swiftness,clearness and efficiency. Thanks Again Best Regards,Giusy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ip Pool group assignment
"Giuseppina Venezia" <[EMAIL PROTECTED]> wrote: > I want that only "professors" gets an IP pool. > I made this: ... > and it seems to work, it assign an IP but, the IP is not real assigned. OK... > Sending Access-Accept of id 0 to 127.0.0.1 port 1039 >Service-Type == Framed-User >Framed-IP-Address = 192.168.182.234 >Framed-IP-Netmask = 255.255.255.0 So everything works as configured. Wonderful! > It seems to assign 192.168.182.234 but the user has > 192.168.182.3 why it doesn't assing IP? Ask the NAS. At this point, it looks like you have the server configured correctly, and it's doing what you want. But the *NAS* isn't doing what you want. Please don't blame FreeRADIUS for that. Read the NAS documentation to see what magic is required to get it to accept the IP address from FreeRADIUS. And after a *large* number of messages, it looks like you have a clear approach to solving the problem. This is why we suggest posting full debug logs at the start, along with descriptions of what you expect should be happening. It makes solving the problem infinitely easier. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ip Pool group assignment
On 8/26/06, Alan DeKok <[EMAIL PROTECTED]> wrote: If you want EVERYONE to get an IP pool, do: DEFAULT Pool-Name := "main_pool" Fall-Through = Yes Alan DeKok. I want that only "professors" gets an IP pool. I made this: DEFAULT Auth-Type = LDAP Fall-Through = 1 DEFAULT Pool-Name :="main_pool", Ldap-Group == "professor" Service-Type == Framed-User, Fall-Through = yes and it seems to work, it assign an IP but, the IP is not real assigned. He's a professor: . rad_recv: Access-Request packet from host 127.0.0.1:1039, id=0, length=220 User-Name = "prof1" CHAP-Challenge = 0xefc559504d3ba3c9fa54b43a24630c73 CHAP-Password = 0x006ddd83222dfe14d8bde3f858d2270462 NAS-IP-Address = 127.0.0.1 Service-Type = Login-User Framed-IP-Address = 192.168.182.3 Calling-Station-Id = "00-02-C7-8F-A0-16" Called-Station-Id = "00-50-BF-E3-E8-2A" NAS-Identifier = "localhost" Acct-Session-Id = "44f16e9a0001" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Message-Authenticator = 0x27936b28337edbd63b0c974cd804f9d2 WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff"; Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "prof1", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 154 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=statistica,dc=mydomain,dc=it' radius_xlat: '(uid=prof1)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=Manager,dc=mydomain,dc=it/password to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=statistica,dc=mydomain,dc=it, with filter (uid=prof1) rlm_ldap: ldap_release_conn: Release Id: 0 radius_xlat: '(|(&(objectClass=GroupOfNames)(member=cn\3dMaurizio Costanzo\2cou\3dfaculty\2cou\3ddspsa\2cou\3dstatistica\2cdc\3dmydomain\2cdc\3dit))(&(objectClass=GroupOfU$ Costanzo\2cou\3dfaculty\2cou\3ddspsa\2cou\3dstatistica\2cdc\3dmydomain\2cdc\3dit)))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=statistica,dc=mydomain,dc=it, with filter (&(cn=professor)(|(&(objectClass=GroupOfNames)(member=cn\3dMaurizio Costanzo\2cou\3dfaculty\2cou\3ddspsa\2cou\3dstatistica\2cdc\3dmydomain\2cdc\3dit))(&(objectClass=GroupOfU$ Costanzo\2cou\3dfaculty\2cou\3ddspsa\2cou\3dstatistica\2cdc\3dmydomain\2cdc\3dit rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in cn=Maurizio Costanzo,ou=faculty,ou=dspsa,ou=statistica,dc=mydomain,dc=it, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: User found in group professor rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 176 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for prof1 radius_xlat: '(uid=prof1)' radius_xlat: 'ou=statistica,dc=mydomain,dc=it' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=statistica,dc=mydomain,dc=it, with filter (uid=prof1) rlm_ldap: checking if remote access for prof1 is allowed by userPassword rlm_ldap: Added password a in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusGroupName as Ldap-Group, value professor & op=21 rlm_ldap: Adding radiusCallingStationId as Calling-Station-Id, value C4-5A-5E-D0-1F-F4 & op=21 rlm_ldap: Adding radiusCallingStationId as Calling-Station-Id, value 00-02-C7-8F-A0-16 & op=21 rlm_ldap: Adding userPassword as User-Password, value a & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user prof1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 rlm_checkval: Item Name: Calling-Station-Id, Value: 00-02-C7-8F-A0-16 rlm_checkval: Value Name: Calling-Station-Id, Value: C4-5A-5E-D0-1F-F4 rlm_checkval: Value Name: Calling-Station-Id, Value: 00-02-C7-8F-A0-16 modcall[authorize]: module "checkval" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type CHAP auth: type "CHAP" Processing the authenticate section of radiusd.conf mod
Re: Ip Pool group assignment
"Giuseppina Venezia" <[EMAIL PROTECTED]> wrote: > prova Pool-Name:="main_pool", Auth-Type := Local, User-Password == "a" What has to be done to convince people not to set Auth-Type? > When I try to login with LDAP users the debug says that can't find > Pool-Name attribute (but as shown in the first post) Pool-Name > attribute is set in the users file. It's set only for people who aren't using LDAP. If you want EVERYONE to get an IP pool, do: DEFAULT Pool-Name := "main_pool" Fall-Through = Yes Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ip Pool group assignment
You have to tell the server which pool to use. See the rlm_ippool documentation. Alan DeKok. Ok,thanks Alan I've read the documentation about rlm_ippool on freeradius wiki and in particular http://wiki.freeradious.org/index.php/Ippool_and_radius_clients (I've not found rlm_ippool documentation in freeradius installed docs). Now I've specified the NAS-IP-Address and NAS-Identifier in chillispot, with the same results when I try to login with this user: prova Pool-Name:="main_pool", Auth-Type := Local, User-Password == "a" Service-Type = Framed-User, Fall-Through = no defined in users file This is the new output: rlm_ippool: Searching for an entry for nas/port: 127.0.0.1/1 rlm_ippool: Searching for an entry for nas/port: 127.0.0.1/1 rlm_ippool: Allocating ip to nas/port: 127.0.0.1/1 rlm_ippool: num: 1 rlm_ippool: Allocated ip 192.168.182.138 to client on nas 127.0.0.1,port 1 modcall[post-auth]: module "main_pool" returns ok for request 0 modcall: leaving group post-auth (returns ok) for request 0 Sending Access-Accept of id 0 to 127.0.0.1 port 1061 Service-Type = Framed-User Framed-IP-Address = 192.168.182.138 Framed-IP-Netmask = 255.255.255.0 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Accounting-Request packet from host 127.0.0.1:1059, id=0, length=134 Acct-Status-Type = Start User-Name = "prova" Calling-Station-Id = "00-02-C7-8F-A0-16" Called-Station-Id = "00-50-BF-E3-E8-2A" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 NAS-Port-Id = "0001" NAS-IP-Address = 127.0.0.1 NAS-Identifier = "localhost" Framed-IP-Address = 192.168.182.3 Acct-Session-Id = "44f082540001" Processing the preacct section of radiusd.conf When I try to login with LDAP users the debug says that can't find Pool-Name attribute (but as shown in the first post) Pool-Name attribute is set in the users file. What's wrong in the first and in the second cases? Thanks, Giusy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ip Pool group assignment
"Giuseppina Venezia" <[EMAIL PROTECTED]> wrote: > When i log in directly with default user (user "prova" , defined in > users file) it seems to assign ip, but it really doesn't (the client > doesn't obtain the assigned ip address). > When i log in directly with an OpenLdap user, it says that can't find > Pool-Name attribute. You have to tell the server which pool to use. See the rlm_ippool documentation. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ip pool
that simply means you need to call them from Accounting and Post-Auth module
section of radius conf see more of Pool-Name attribute as well
Hello Vertito,
Thanks for your information.But I did not get the meaning of the attributes
in the below sentence,
dont forget to call them from conf and from attributes.
I have configured these things in radiusd.conf. But I am not getting why it
is requried,Because with out thses configuration I am able to do
Authentication sucessfully.
range-start = 192.168.1.1
range-stop = 192.168.1.200
netmask = 255.255.255.255
cache-size = 56
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = yes
maximum-timeout = 90
Regards,
Basavaraja.
-Original Message-
From: vertito [mailto:[EMAIL PROTECTED]
Sent: Friday, June 02, 2006 11:07 AM
To: 'Basavaraja.pv'; 'FreeRadius users mailing list'
Subject: RE: ip pool
range-start = 192.168.1.1
range-stop = 192.168.1.200
netmask = 255.255.255.255
cache-size = 56
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = yes
maximum-timeout = 90
dont forget to call them from conf and from attributes
-Original Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
.org] On Behalf Of Basavaraja.pv
Sent: Friday, June 02, 2006 10:00 AM
To: freeradius-users@lists.freeradius.org
Subject: ip pool
Hello Sir,
I went through the radiusd.conf file. I am not getting the exact purpose of
the ippool main_pool{
rangesatrt = 192.168.1.1
rangestop = 192.168.3.254
}
Please give me the working of the above code.
Thanks and Regards,
Basavaraja
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.8.1/354 - Release Date: 6/1/2006
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.8.1/354 - Release Date: 6/1/2006
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.8.1/354 - Release Date: 6/1/2006
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.8.1/354 - Release Date: 6/1/2006
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ip pool
range-start = 192.168.1.1
range-stop = 192.168.1.200
netmask = 255.255.255.255
cache-size = 56
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = yes
maximum-timeout = 90
dont forget to call them from conf and from attributes
-Original Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
.org] On Behalf Of Basavaraja.pv
Sent: Friday, June 02, 2006 10:00 AM
To: freeradius-users@lists.freeradius.org
Subject: ip pool
Hello Sir,
I went through the radiusd.conf file. I am not getting the exact purpose of
the ippool main_pool{
rangesatrt = 192.168.1.1
rangestop = 192.168.3.254
}
Please give me the working of the above code.
Thanks and Regards,
Basavaraja
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.8.1/354 - Release Date: 6/1/2006
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.8.1/354 - Release Date: 6/1/2006
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.8.1/354 - Release Date: 6/1/2006
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Ip pool doesn't works properly
On Tue, 7 Jun 2005, Simone Giovanardi wrote: > > Hi, > > > > How can I configure FreeRADIUS to assign IP address dinamically with Ip > > Pool when there is a successful authentication from Cisco 7200 access > > server with FreeRADIUS 1.0.0? > > > > Like this it works sending out only 2 ip address...always the same... > > Is your Cisco sending a unique nasport/nasip for each client? Ip pool > uses the nasip/nasport to identify the user. > > YES > > FROM LOGS SHOWED BELOW, IT SENDS OUT THE SAME TWO ADDRESS AND > > DOESN'T KEEP ANYONE ENTRY IN YOUR DATABASE .IPPOOL (VIEWED WITH > rlm_ippool_tool -a ...) > Unique nasip/nasport. Unique being the key word. Your NAS is sending over nas-port of 0 for all requests. This makes it look like its the same user. > rad_recv: Access-Request packet from host 83.216.176.254:21661, id=219, > length=95 > Framed-Protocol = PPP > User-Name = "font0001@" > CHAP-Password = 0x01af73ef6670b0a4a65130cb133a902c2f > NAS-Port-Type = Virtual > NAS-Port = 0 > Service-Type = Framed-User > NAS-IP-Address = 83.216.176.254 > rlm_ippool: Searching for an entry for nas/port: 83.216.176.254/0 > rlm_ippool: Found a stale entry for ip/port: 83.216.178.213/0 > rlm_ippool: num: 0 > rlm_ippool: Searching for an entry for nas/port: 83.216.176.254/0 > rlm_ippool: Allocating ip to nas/port: 83.216.176.254/0 > rlm_ippool: num: 1 > rlm_ippool: Allocated ip 83.216.178.190 to client on nas 83.216.176.254,port 0 > rad_recv: Access-Request packet from host 83.216.176.254:21661, id=220, > length=95 > Framed-Protocol = PPP > User-Name = "font0001@" > CHAP-Password = 0x01852ebbe42598a17861fa2b06de488ff7 > NAS-Port-Type = Virtual > NAS-Port = 0 > Service-Type = Framed-User > NAS-IP-Address = 83.216.176.254 > rlm_ippool: Searching for an entry for nas/port: 83.216.176.254/0 > rlm_ippool: Found a stale entry for ip/port: 83.216.178.190/0 > rlm_ippool: num: 0 > rlm_ippool: Searching for an entry for nas/port: 83.216.176.254/0 > rlm_ippool: Allocating ip to nas/port: 83.216.176.254/0 > rlm_ippool: num: 1 > rlm_ippool: Allocated ip 83.216.178.213 to client on nas 83.216.176.254,port 0 > rad_recv: Access-Request packet from host 83.216.176.254:21661, id=226, > length=80 > Framed-Protocol = PPP > User-Name = "satc0002@" > CHAP-Password = 0x0193da4f830e1c9dfa12364d6122880c8f > NAS-Port-Type = Virtual > NAS-Port = 0 > Service-Type = Framed-User > NAS-IP-Address = 83.216.176.254 > rlm_ippool: Found a stale entry for ip/port: 83.216.178.213/0 > rlm_ippool: num: 0 > rlm_ippool: Searching for an entry for nas/port: 83.216.176.254/0 > rlm_ippool: Allocating ip to nas/port: 83.216.176.254/0 > rlm_ippool: num: 1 > rlm_ippool: Allocated ip 83.216.178.190 to client on nas 83.216.176.254,port 0 Notice the nasip and nasport are the same for each request. Ip_pool keys of the combination of nasip/nasport to determine the UNIQUE user. You need to configure your NAS to send over a unique nasport for each user. In cisco, the nas-port is a 32 bit number. Typically, the first 8 bits make up the interface. This is broken down into 4 bits/1 bit/3 bits of slot/mod/port. The second 8 bits makes up the vpi and the last 16 make up the vci. So if you were located in interface 1/0/3 with a PVC of 33/48, the Nas-Port would represent that. Read the Cisco documentation. Try something like this. Router(config)# radius-server attribute nas-port format d In order to use ip-pool you need to have a unique nasport sent over or modify the code to trigger off something else. Hope that helps. -Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Ip pool doesn't works properly
> Hi,
>
> How can I configure FreeRADIUS to assign IP address dinamically with Ip
> Pool when there is a successful authentication from Cisco 7200 access
> server with FreeRADIUS 1.0.0?
>
> Like this it works sending out only 2 ip address...always the same...
Is your Cisco sending a unique nasport/nasip for each client? Ip pool
uses the nasip/nasport to identify the user.
YES
FROM LOGS SHOWED BELOW, IT SENDS OUT THE SAME TWO ADDRESS AND
DOESN'T KEEP ANYONE ENTRY IN YOUR DATABASE .IPPOOL (VIEWED WITH rlm_ippool_tool
-a ...)
run radiusd -X and have several users establish a connection. Post the
output here if you can't decifer it.
rad_recv: Access-Request packet from host 83.216.176.254:21661, id=219,
length=95
Framed-Protocol = PPP
User-Name = "font0001@"
CHAP-Password = 0x01af73ef6670b0a4a65130cb133a902c2f
NAS-Port-Type = Virtual
NAS-Port = 0
Service-Type = Framed-User
NAS-IP-Address = 83.216.176.254
rad_lowerpair: User-Name now 'font0001@'
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 13
modcall[authorize]: module "preprocess" returns ok for request 13
radius_xlat:
'/freerad100/var/log/radius/radacct/83.216.176.254/auth-detail-20050607'
rlm_detail:
/freerad100/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /freera
d100/var/log/radius/radacct/83.216.176.254/auth-detail-20050607
modcall[authorize]: module "auth_log" returns ok for request 13
rlm_chap: Setting 'Auth-Type := CHAP'
modcall[authorize]: module "chap" returns ok for request 13
modcall[authorize]: module "mschap" returns noop for request 13
rlm_realm: No '/' in User-Name = "font0001@", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "IPASS" returns noop for request 13
rlm_realm: Looking up realm "@" for User-Name = "font0001@"
rlm_realm: No such realm "@"
modcall[authorize]: module "suffix" returns noop for request 13
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 13
modcall[authorize]: module "files" returns notfound for request 13
radius_xlat: 'font0001@'
rlm_sql (sql): sql_set_user escaped user --> 'font0001@'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = '[EMAIL PROTECTED]
m.it' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Valu
e,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username =
'font0001@' AN
D usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = '[EMAIL PROTECTED]
m.it' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Valu
e,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username =
'font0001@' AN
D usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module "sql" returns ok for request 13
modcall: group authorize returns ok for request 13
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied CHAP-Password matches local User-Password
Login OK: [font0001@/] (from client Telecom-BRAS1-3 port 0)
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 13
modcall[post-auth]: module "main_pool" returns noop for request 13
rlm_ippool: Searching for an entry for nas/port: 83.216.176.254/0
rlm_ippool: Found a stale entry for ip/port: 83.216.178.213/0
rlm_ippool: num: 0
rlm_ippool: Searching for an entry for nas/port: 83.216.176.254/0
rlm_ippool: Allocating ip to nas/port: 83.216.176.254/0
rlm_ippool: num: 1
rlm_ippool: Allocated ip 83.216.178.190 to client on nas 83.216.176.254,port 0
modcall[post-auth]: module "whsitt_pool" returns ok for request 13
radius_xlat:
'/freerad100/var/log/radius/radacct/83.216.176.254/reply-detail-20050607'
rlm_detail:
/freerad100/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
expands to /freer
ad100/var/log/radius/radacct/83.216.176.254/reply-detail-20050607
modcall[post-auth]: module "reply_log" returns ok for request 13
rlm_sql (sql): Processing sql_postauth
radius_xlat: 'font0001@'
rlm_sql (sql): sql_set_user escaped user --> 'font0001@'
radius_xlat: 'INSERT into radpostauth (id, user, pass, reply, date) values
('', '[EMAIL PROTECTED]
t', 'Chap-Password', 'Access-Accept', NOW())'
rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user,
pass, reply, date) values ('',
'font0001@', 'Chap-Password', 'Access-Accept', NOW())
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): Released sql socket id: 3
modcall[post-auth]: module "sql" returns ok for request 13
modcall: group post-auth returns ok f
Re: Ip pool doesn't works properly
On Mon, 6 Jun 2005, Simone Giovanardi wrote: > Hi, > > How can I configure FreeRADIUS to assign IP address dinamically with Ip > Pool when there is a successful authentication from Cisco 7200 access > server with FreeRADIUS 1.0.0? > > Like this it works sending out only 2 ip address...always the same... Is your Cisco sending a unique nasport/nasip for each client? Ip pool uses the nasip/nasport to identify the user. run radiusd -X and have several users establish a connection. Post the output here if you can't decifer it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip-pool
"Tom Fritz" <[EMAIL PROTECTED]> wrote: > I really don't know what i'm doing wrong. Probably I have misunderstood > something. I'm using ttls/md5 authentication it's working fine and I get an > ip address from a dhcp server. That's the way that wireless works. You can't change it. Authentication is via EAP, IP addresses are via DHCP. Now, if you had a DHCP to RADIUS gateway, you could forward the DHCP request to the RADIUS server, and it could assign an address to the user. But DHCP would still be used, and no such gateway exists in GPL'd code. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ip-pool
>
> Hi,
>
> I really don't know what i'm doing wrong. Probably I have misunderstood
> something. I'm using ttls/md5 authentication it's working fine and I get an
> ip address from a dhcp server.
>
> To get the ip address from an ippool I have made the following
> configurations:
>
> - user file:
> user_name User-Password == "", Pool-Name := "my_pool"
> Service-Type = Framed-User,
> Framed-Protocol = PPP,
> Framed-MTU = 1500,
>
> - radiusd.conf file:
>
> ippool my_pool{
> range-start = 10.0.0.11
> range-stop = 10.0.0.30
> netmask = 255.0.0.0
> cache-size = 800
> session-db = ${raddbdir}/ip-pool.db
> ip-index= ${raddbdir}/ip-index.db
> override= no
> maximum-timeout = 0
> }
>
> And the Access accept message looks like this:
>
> ..
> rlm_ippool: Allocated ip 10.0.0.26 to client on nas 10.0.0.1,port 503
> ..
> Sending Access-Accept of id 62 to 10.0.0.1:21647
> Service-Type = Framed-User,
> Framed Protocol = PPP,
> Framed MTU = 1500,
> MS-MPPE-Recv-Key = 0x***
> MS-MPPE-Send-Key = 0x***
> EAP-Message = 0x*
> Message-Authenticator = 0x*
> User-Name = "user_name"
> Framed-IP-Address = 10.0.0.26
> Framed-IP-Netmask = 255.0.0.0
>
> The NAS still receives his IP address from the DHCP server and not from the
> radius server.
>
> Could you please tell me which rfc's to read
>
> Thanks for the reply
> Tom Fritz
>
Radius did its job and sent back the Framed-IP-Address and whatever reply
items you gave it. Its up to the NAS to use that radius reply value and
assign it to the user. You have to read the documentation on your NAS and
see what radius values it needs and how to enable it to use the radius
values instead of using dhcp.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ip-pool
Hi,
I really don't know what i'm doing wrong. Probably I have misunderstood
something. I'm using ttls/md5 authentication it's working fine and I get an
ip address from a dhcp server.
To get the ip address from an ippool I have made the following
configurations:
- user file:
user_name User-Password == "", Pool-Name := "my_pool"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-MTU = 1500,
- radiusd.conf file:
ippool my_pool{
range-start = 10.0.0.11
range-stop = 10.0.0.30
netmask = 255.0.0.0
cache-size = 800
session-db = ${raddbdir}/ip-pool.db
ip-index= ${raddbdir}/ip-index.db
override= no
maximum-timeout = 0
}
And the Access accept message looks like this:
..
rlm_ippool: Allocated ip 10.0.0.26 to client on nas 10.0.0.1,port 503
..
Sending Access-Accept of id 62 to 10.0.0.1:21647
Service-Type = Framed-User,
Framed Protocol = PPP,
Framed MTU = 1500,
MS-MPPE-Recv-Key = 0x***
MS-MPPE-Send-Key = 0x***
EAP-Message = 0x*
Message-Authenticator = 0x*
User-Name = "user_name"
Framed-IP-Address = 10.0.0.26
Framed-IP-Netmask = 255.0.0.0
The NAS still receives his IP address from the DHCP server and not from the
radius server.
Could you please tell me which rfc's to read
Thanks for the reply
Tom Fritz
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: mardi 19 avril 2005 18:46
To: freeradius-users@lists.freeradius.org
Subject: Re: ip-pool
"Tom Fritz" <[EMAIL PROTECTED]> wrote:
> The radius server is sending the correct "Framed-IP-Address" with the
> "Access-Accept" message, but it isn't assigned to the connection.
Then the NAS is not doing what it's told.
Either the NAS is buggy, or you didn't assign Framed-Protocol and
Service-Type, too. See the RFC's, or your NAS documentation.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip-pool
"Tom Fritz" <[EMAIL PROTECTED]> wrote: > The radius server is sending the correct "Framed-IP-Address" with the > "Access-Accept" message, but it isn't assigned to the connection. Then the NAS is not doing what it's told. Either the NAS is buggy, or you didn't assign Framed-Protocol and Service-Type, too. See the RFC's, or your NAS documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ip pool management
Ok it works with : DEFAULT Service-Type == Framed-User, Pool-Name := "main_pool" Framed-Protocol = PPP, Framed-MTU = 576 Thanks a lot for your help. Kind Regards, -- Sebastien Cantos <[EMAIL PROTECTED]> Network / System Manager Neopost DIVA > -Message d'origine- > De : [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] De la > part de Alan DeKok > Envoyé : jeudi 3 mars 2005 17:41 > À : freeradius-users@lists.freeradius.org > Objet : Re: Ip pool management > > "Sébastien Cantos" <[EMAIL PROTECTED]> wrote: > > The problem is that it is complaining: > > rlm_ippool: could not find Pool-Name attribute > > The *module* is printing that message because the Pool-Name > attribute is not found in the list of check items. > > > For my *newbie* understanding, if the Pool-name is a check item it > > should be in the request I get from my clients. > > No. Nothing in the server documentation would lead you to that > conclusion. The documentation would lead you to the *correct* > conclusion, which is that the "check" items are not the > "request" items. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ip pool management
"Sébastien Cantos" <[EMAIL PROTECTED]> wrote: > The problem is that it is complaining: > rlm_ippool: could not find Pool-Name attribute The *module* is printing that message because the Pool-Name attribute is not found in the list of check items. > For my *newbie* understanding, if the Pool-name is a check item it > should be in the request I get from my clients. No. Nothing in the server documentation would lead you to that conclusion. The documentation would lead you to the *correct* conclusion, which is that the "check" items are not the "request" items. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ip pool management
Yes you are right. Luaching the server in debug mode told me that Pool-name is a check item and that it should be on the first line. The problem is that it is complaining: rlm_ippool: could not find Pool-Name attribute For my *newbie* understanding, if the Pool-name is a check item it should be in the request I get from my clients. I'm true ? If yes, I can't modify the I got from the NAS (it's not mine). So is there a way to use ippool without this check item ? Thanks for your help. Regards, -- Sebastien Cantos <[EMAIL PROTECTED]> Network / System Manager Neopost DIVA > -Message d'origine- > De : [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] De la > part de Alan DeKok > Envoyé : mercredi 2 mars 2005 18:50 > À : freeradius-users@lists.freeradius.org > Objet : Re: Ip pool management > > "Sébastien Cantos" <[EMAIL PROTECTED]> wrote: > > I've followed instructions in radiusd.conf : > > My users file looks like this: > > DEFAULT Service-Type == Framed-User > > Pool-Name := osiris-pool, > > You did not follow the instructions in radiusd.conf. The > "Pool-Name" attribute should go on the first line. > > If you had run the server in debugging mode, the server would have > told you this. > > Alan DeKok. > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ip pool management
"Sébastien Cantos" <[EMAIL PROTECTED]> wrote: > I've followed instructions in radiusd.conf : > My users file looks like this: > DEFAULT Service-Type == Framed-User > Pool-Name := osiris-pool, You did not follow the instructions in radiusd.conf. The "Pool-Name" attribute should go on the first line. If you had run the server in debugging mode, the server would have told you this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ip pool management
Hi,
I've followed instructions in radiusd.conf :
My users file looks like this:
DEFAULT Service-Type == Framed-User
Pool-Name := osiris-pool,
Framed-Protocol = PPP,
Framed-MTU = 576
And in my radiusd.conf I've:
post-auth {
# Get an address from the IP Pool.
# main_pool
osiris-pool
...
}
modules {
...
ippool osiris-pool {
range-start = 192.168.52.1
range-stop = 192.168.52.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
}
}
I get this error :
rlm_ippool: could not find Pool-Name attribute
And my client doesn't get back the IP.
I surely miss something Could someone help me please ?
Regards,
--
Sebastien Cantos <[EMAIL PROTECTED]>
Network / System Manager
Neopost DIVA
> -Message d'origine-
> De : [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] De la
> part de Alan DeKok
> Envoyé : mardi 1 mars 2005 18:50
> À : freeradius-users@lists.freeradius.org
> Objet : Re: Ip pool management
>
> "Sébastien Cantos" <[EMAIL PROTECTED]> wrote:
> > I would like to configure my radius to give the first
> available IP in the
> > subnet 192.168.52.0/24 without carrying about the NAS modem number.
> > Is there a way to configure this ?
>
> Read radiusd.conf. Look for "ippool"
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ip pool management
"Sébastien Cantos" <[EMAIL PROTECTED]> wrote: > I would like to configure my radius to give the first available IP in the > subnet 192.168.52.0/24 without carrying about the NAS modem number. > Is there a way to configure this ? Read radiusd.conf. Look for "ippool" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool in mysql
but you are assigning ip with your NAS, I need a schema that has ip pool provision. Honestly, I'm not sure if it will work with MySQL. On Tue, 2004-10-26 at 04:03, Martin Jessa wrote: > Hi. > > I use Mikrotik as my NAS server and there i have configured an IP-Pool called > Official > And this is my SQL: > > CREATE TABLE radreply ( > id int(11) unsigned NOT NULL auto_increment, > UserName varchar(64) NOT NULL default '', > Attribute varchar(32) NOT NULL default '', > op char(2) NOT NULL default '=', > Value varchar(253) NOT NULL default '', > prio int(10) unsigned NOT NULL default '0', > PRIMARY KEY (id), > KEY UserName (UserName(32)) > ) TYPE=MyISAM; > > > INSERT INTO radreply VALUES (341,'username','Ascend-Data-Rate','=','524288',0); > INSERT INTO radreply VALUES (340,'username','Ascend-Data-Rate','=','524288',1); > INSERT INTO radreply VALUES (339,'username','Port-Limit','=','1',0); > INSERT INTO radreply VALUES > (338,'username','Framed-IP-Address','=','255.255.255.254',0); > INSERT INTO radreply VALUES (402,'username','Framed-Pool',':=','Official',0); > > > Any other values are taken care of by the NAS server. > > Cheers. > > > On Tue, 26 Oct 2004 14:09:55 -0700 > ral <[EMAIL PROTECTED]> wrote: > > > Hi, > > > > I'm trying to use mysql with freeradius, my problem is, it looks like ip > > pool doesn't work, I'm not sure with my schema though, can anyone give > > me a sample of the schema for this? > > > > > > Thanks. > > > > Lito > > > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool in mysql
Hi, Make use of '=' opperand instead of ':=' for Reply Attribute . And don't forget to read Docs ;-) On Tuesday 26 October 2004 14:03, Martin Jessa wrote: > Hi. > > I use Mikrotik as my NAS server and there i have configured an IP-Pool > called Official And this is my SQL: > > CREATE TABLE radreply ( > id int(11) unsigned NOT NULL auto_increment, > UserName varchar(64) NOT NULL default '', > Attribute varchar(32) NOT NULL default '', > op char(2) NOT NULL default '=', > Value varchar(253) NOT NULL default '', > prio int(10) unsigned NOT NULL default '0', > PRIMARY KEY (id), > KEY UserName (UserName(32)) > ) TYPE=MyISAM; > > > INSERT INTO radreply VALUES > (341,'username','Ascend-Data-Rate','=','524288',0); INSERT INTO radreply > VALUES (340,'username','Ascend-Data-Rate','=','524288',1); INSERT INTO > radreply VALUES (339,'username','Port-Limit','=','1',0); INSERT INTO > radreply VALUES > (338,'username','Framed-IP-Address','=','255.255.255.254',0); INSERT INTO > radreply VALUES (402,'username','Framed-Pool',':=','Official',0); > > > Any other values are taken care of by the NAS server. > > Cheers. > > > On Tue, 26 Oct 2004 14:09:55 -0700 > > ral <[EMAIL PROTECTED]> wrote: > > Hi, > > > > I'm trying to use mysql with freeradius, my problem is, it looks like ip > > pool doesn't work, I'm not sure with my schema though, can anyone give > > me a sample of the schema for this? > > > > > > Thanks. > > > > Lito > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- Best Regards, Nachko Halachev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool in mysql
Hi. I use Mikrotik as my NAS server and there i have configured an IP-Pool called Official And this is my SQL: CREATE TABLE radreply ( id int(11) unsigned NOT NULL auto_increment, UserName varchar(64) NOT NULL default '', Attribute varchar(32) NOT NULL default '', op char(2) NOT NULL default '=', Value varchar(253) NOT NULL default '', prio int(10) unsigned NOT NULL default '0', PRIMARY KEY (id), KEY UserName (UserName(32)) ) TYPE=MyISAM; INSERT INTO radreply VALUES (341,'username','Ascend-Data-Rate','=','524288',0); INSERT INTO radreply VALUES (340,'username','Ascend-Data-Rate','=','524288',1); INSERT INTO radreply VALUES (339,'username','Port-Limit','=','1',0); INSERT INTO radreply VALUES (338,'username','Framed-IP-Address','=','255.255.255.254',0); INSERT INTO radreply VALUES (402,'username','Framed-Pool',':=','Official',0); Any other values are taken care of by the NAS server. Cheers. On Tue, 26 Oct 2004 14:09:55 -0700 ral <[EMAIL PROTECTED]> wrote: > Hi, > > I'm trying to use mysql with freeradius, my problem is, it looks like ip > pool doesn't work, I'm not sure with my schema though, can anyone give > me a sample of the schema for this? > > > Thanks. > > Lito > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool for each realm
Just understand the multiple default entries in radiusd.conf. Thanks a lot for your reply. --- Kostas Kalevras <[EMAIL PROTECTED]> a écrit : > On Mon, 20 Sep 2004, Bad Moh wrote: > > > Hi, > > > > How can I configure freeradius to allocate ip > address from different pools based on the users > realm ? > > > > realm1 -> 10.1.0.0/16 > > realm2 -> 10.2.0.0/16 > > etc ... > > > > Is it possible ? > > DEFAULT Realm == "first", Pool-Name := "first" > > DEFAULT Realm == "second", Pool-Name := "second" > > The rest, you can find in radiusd.conf and the > documentation > > > > > Thank you in advance. > > > > > > - > > Cr?ez gratuitement votre Yahoo! Mail avec 100 Mo > de stockage ! > > Cr?ez votre Yahoo! Mail > > > > Le nouveau Yahoo! Messenger est arriv? ! D?couvrez > toutes les nouveaut?s pour dialoguer instantan?ment > avec vos amis.T?l?chargez GRATUITEMENT ici ! > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED] National Technical University of > Athens, Greece > Work Phone: +30 210 7721861 > 'Go back to the shadow' Gandalf > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > Vous manquez despace pour stocker vos mails ? Yahoo! Mail vous offre GRATUITEMENT 100 Mo ! Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour dialoguer instantanément avec vos amis. A télécharger gratuitement sur http://fr.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool for each realm
On Mon, 20 Sep 2004, Bad Moh wrote: > Hi, > > How can I configure freeradius to allocate ip address from different pools based on > the users realm ? > > realm1 -> 10.1.0.0/16 > realm2 -> 10.2.0.0/16 > etc ... > > Is it possible ? DEFAULT Realm == "first", Pool-Name := "first" DEFAULT Realm == "second", Pool-Name := "second" The rest, you can find in radiusd.conf and the documentation > > Thank you in advance. > > > - > Cr?ez gratuitement votre Yahoo! Mail avec 100 Mo de stockage ! > Cr?ez votre Yahoo! Mail > > Le nouveau Yahoo! Messenger est arriv? ! D?couvrez toutes les nouveaut?s pour > dialoguer instantan?ment avec vos amis.T?l?chargez GRATUITEMENT ici ! -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool issue
"Miroslaw Niemiec" <[EMAIL PROTECTED]> wrote: > Could anybody help me if it possible to retrieve from the radius server > an information what ip address (from ip pool) has been assigned > to a particular user who is currently logged in to NAS. rlm_ippool_tool, which is included with the ippool module in 1.0.0. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool
> "Marco Marques" <[EMAIL PROTECTED]> wrote: >> i what to know if its possible to use ippools and sql?? >> i mean having a table with the ippools in the sql database > > Why? > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > so i can assing ips from that pool to my users Marco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool
"Marco Marques" <[EMAIL PROTECTED]> wrote: > i what to know if its possible to use ippools and sql?? > i mean having a table with the ippools in the sql database Why? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool infos
> Hi to everybody, > i need some information about how the ip-pool works in freeradius. > More precisely I want to know how the address is sent to the client (is it in > an attribute of a radius packet?) and what happens when there is more than > one subnetwork (I mean... how does the radius server choose a right address > in the range? Is it based on the NAS IP Address?). group, ip pool, pool name attributes. read the docs/* . read mailing list. more to google. if you give up, tell the list, lots of people who can offer commercial services with this issue. > Sorry if it is a stupid question but i don't know where to get info about > that. stupid question gets misleading and confusing answers. wasted bandwidth and time. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
